s390/debug: Reject zero-length input in debug_input_flush_fn()

debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.

Reject zero-length writes before copying from userspace.

Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 2612f634e8262ffaaab95668ad928aeed7d4e576..7650f2adb5cf8667f464c734ee4f15245b5f1bd9 100644 (file)
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1587,6 +1587,11 @@ static int debug_input_flush_fn(debug_info_t *id, struct debug_view *view,
        char input_buf[1];
        int rc = user_len;
 
+       if (!user_len) {
+               rc = -EINVAL;
+               goto out;
+       }
+
        if (user_len > 0x10000)
                user_len = 0x10000;
        if (*offset != 0) {