From: Armin Wolf <W_Armin@gmx.de>
Date: Sun, 24 May 2026 23:55:53 +0000 (+0200)
Subject: leds: uleds: Fix potential buffer overread
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c19fe864f667afc49d1391d764e20b66555bcf7a;p=thirdparty%2Fkernel%2Flinux.git

leds: uleds: Fix potential buffer overread

The name string supplied by userspace is not guaranteed to be
null-terminated, so using strchr() on it might result in a buffer
overread. The same thing will happen when said string is used by
the LED class device.

Fix this by using strnchr() instead and explicitly check that
the name string is properly null-terminated.

Cc: stable@vger.kernel.org
Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20260524235553.189134-1-W_Armin@gmx.de
Signed-off-by: Lee Jones <lee@kernel.org>
---

diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
index 470015e3f8020..6affa581b61d7 100644
--- a/drivers/leds/uleds.c
+++ b/drivers/leds/uleds.c
@@ -102,7 +102,8 @@ static ssize_t uleds_write(struct file *file, const char __user *buffer,
 
 	name = udev->user_dev.name;
 	if (!name[0] || !strcmp(name, ".") || !strcmp(name, "..") ||
-	    strchr(name, '/')) {
+	    strnchr(name, sizeof(udev->user_dev.name), '/') ||
+	    !strnchr(name, sizeof(udev->user_dev.name), '\0')) {
 		ret = -EINVAL;
 		goto out;
 	}