On 2025-05-08 15:06:11 Thu, Markus Burri wrote: > The buffer is set to 20 characters. If a caller write more characters, > count is truncated to the max available space in "simple_write_to_buffer". > To protect from OoB access, check that the input size fit into buffer and > add a zero terminator after copy to the end of the copied data. > > Signed-off-by: Markus Burri <markus.bu...@mt.com>
Thanks for the fix. Acked-by: Mahesh Salgaonkar <mah...@linux.ibm.com> Thanks, -Mahesh. > --- > arch/powerpc/kernel/eeh.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c > index 83fe99861eb1..92ef05d3678d 100644 > --- a/arch/powerpc/kernel/eeh.c > +++ b/arch/powerpc/kernel/eeh.c > @@ -1734,10 +1734,15 @@ static ssize_t eeh_force_recover_write(struct file > *filp, > char buf[20]; > int ret; > > - ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count); > + if (count >= sizeof(buf)) > + return -EINVAL; > + > + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, > count); > if (!ret) > return -EFAULT; > > + buf[ret] = '\0'; > + > /* > * When PE is NULL the event is a "special" event. Rather than > * recovering a specific PE it forces the EEH core to scan for failed > -- > 2.39.5 > > -- Mahesh J Salgaonkar
