git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tudor Ambarus <tudor.ambarus@linaro.org>
	Fri, 17 Apr 2026 15:24:39 +0000 (15:24 +0000)
committer	Miquel Raynal <miquel.raynal@bootlin.com>
	Mon, 27 Apr 2026 13:04:11 +0000 (15:04 +0200)
commit	e47029b977e747cb3a9174308fd55762cce70147
tree	b0de542c0a1f1be256b5aab935fdb97473ff70d2	tree \| snapshot
parent	254f49634ee16a731174d2ae34bc50bd5f45e731	commit \| diff

mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.

Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>