leds: uleds: Fix potential buffer overread

The name string supplied by userspace is not guaranteed to be
null-terminated, so using strchr() on it might result in a buffer
overread. The same thing will happen when said string is used by
the LED class device.

Fix this by using strnchr() instead and explicitly check that
the name string is properly null-terminated.

Cc: stable@vger.kernel.org
Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20260524235553.189134-1-W_Armin@gmx.de
Signed-off-by: Lee Jones <lee@kernel.org>

diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
index 470015e3f80203070c4c0ecb446525f8f55b4a11..6affa581b61d704f55d32500cccc17668b6418e1 100644 (file)
--- a/drivers/leds/uleds.c
+++ b/drivers/leds/uleds.c
@@ -102,7 +102,8 @@ static ssize_t uleds_write(struct file *file, const char __user *buffer,
 
        name = udev->user_dev.name;
        if (!name[0] || !strcmp(name, ".") || !strcmp(name, "..") ||
-           strchr(name, '/')) {
+           strnchr(name, sizeof(udev->user_dev.name), '/') ||
+           !strnchr(name, sizeof(udev->user_dev.name), '\0')) {
                ret = -EINVAL;
                goto out;
        }