xtensa: simdisk: add input size check in proc_write_simdisk

commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream.

A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.

This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")

Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Message-Id: <20250829083015.1992751-1-linmq006@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index d6d2b533a5744da3a95bd4950f199f1e2aa9ab0a..f5add569ca8308288afc88dc73c5dfa4f7799889 100644 (file)
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -230,10 +230,14 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
 static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
                        size_t count, loff_t *ppos)
 {
-       char *tmp = memdup_user_nul(buf, count);
+       char *tmp;
        struct simdisk *dev = pde_data(file_inode(file));
        int err;
 
+       if (count == 0 || count > PAGE_SIZE)
+               return -EINVAL;
+
+       tmp = memdup_user_nul(buf, count);
        if (IS_ERR(tmp))
                return PTR_ERR(tmp);