From: Vasily Gorbik <gor@linux.ibm.com>
Date: Fri, 17 Apr 2026 12:33:43 +0000 (+0200)
Subject: s390/debug: Reject zero-length input in debug_input_flush_fn()
X-Git-Tag: v7.1-rc2~11^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e14622a7584f9608927c59a7d6ae4a0999dc545e;p=thirdparty%2Fkernel%2Fstable.git

s390/debug: Reject zero-length input in debug_input_flush_fn()

debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.

Reject zero-length writes before copying from userspace.

Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
---

diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 2612f634e826..7650f2adb5cf 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1587,6 +1587,11 @@ static int debug_input_flush_fn(debug_info_t *id, struct debug_view *view,
 	char input_buf[1];
 	int rc = user_len;
 
+	if (!user_len) {
+		rc = -EINVAL;
+		goto out;
+	}
+
 	if (user_len > 0x10000)
 		user_len = 0x10000;
 	if (*offset != 0) {