On 2025-05-08 15:06:12 Thu, Markus Burri wrote: > The buffer is set to 50 characters. If a caller write more characters, > count is truncated to the max available space in "simple_write_to_buffer". > To protect from OoB access, check that the input size fit into buffer and > add a zero terminator after copy to the end of the copied data. > > Signed-off-by: Markus Burri <markus.bu...@mt.com>
Looks perfect to me. Acked-by: Mahesh Salgaonkar <mah...@linux.ibm.com> Thanks, -Mahesh. > --- > arch/powerpc/platforms/powernv/eeh-powernv.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c > b/arch/powerpc/platforms/powernv/eeh-powernv.c > index db3370d1673c..3abee21fdd05 100644 > --- a/arch/powerpc/platforms/powernv/eeh-powernv.c > +++ b/arch/powerpc/platforms/powernv/eeh-powernv.c > @@ -73,14 +73,19 @@ static ssize_t pnv_eeh_ei_write(struct file *filp, > char buf[50]; > int ret; > > + if (count >= sizeof(buf)) > + return -EINVAL; > + > if (!eeh_ops || !eeh_ops->err_inject) > return -ENXIO; > > /* Copy over argument buffer */ > - ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count); > + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, > count); > if (!ret) > return -EFAULT; > > + buf[ret] = '\0'; > + > /* Retrieve parameters */ > ret = sscanf(buf, "%x:%x:%x:%lx:%lx", > &pe_no, &type, &func, &addr, &mask); > -- > 2.39.5 > > -- Mahesh J Salgaonkar
