From: Miaoqian Lin Date: Fri, 29 Aug 2025 08:30:15 +0000 (+0800) Subject: xtensa: simdisk: add input size check in proc_write_simdisk X-Git-Tag: v6.1.157~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf;p=thirdparty%2Fkernel%2Fstable.git xtensa: simdisk: add input size check in proc_write_simdisk commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream. A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()") Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk") Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin Message-Id: <20250829083015.1992751-1-linmq006@gmail.com> Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman --- diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c index f50caaa1c2496..adc969395fb06 100644 --- a/arch/xtensa/platforms/iss/simdisk.c +++ b/arch/xtensa/platforms/iss/simdisk.c @@ -230,10 +230,14 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf, static ssize_t proc_write_simdisk(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - char *tmp = memdup_user_nul(buf, count); + char *tmp; struct simdisk *dev = pde_data(file_inode(file)); int err; + if (count == 0 || count > PAGE_SIZE) + return -EINVAL; + + tmp = memdup_user_nul(buf, count); if (IS_ERR(tmp)) return PTR_ERR(tmp);