diff mbox series

remoteproc: avoid array index out of bounds in debugfs file

Message ID 20220328123413.18169-1-xiaobing.shi@mediatek.com (mailing list archive)
State Superseded
Headers show
Series remoteproc: avoid array index out of bounds in debugfs file | expand

Commit Message

Xiaobing shi March 28, 2022, 12:34 p.m. UTC 
There is a negative offset of an on-stack array that causes an out of
bounds issue when someone called with a zero 'count' argument to
syswrite().

	buf[count - 1]

We should add an extra check in rproc_coredump_write() to prevent the
access.

Signed-off-by: Xiaobing shi <xiaobing.shi@mediatek.com>
---
 drivers/remoteproc/remoteproc_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Miles Chen March 29, 2022, 2:46 a.m. UTC | #1 
Hi Xiaobing,

> There is a negative offset of an on-stack array that causes an out of
> bounds issue when someone called with a zero 'count' argument to
> syswrite().
> 
> 	buf[count - 1]
> 
> We should add an extra check in rproc_coredump_write() to prevent the
> access.
> 
> Signed-off-by: Xiaobing shi <xiaobing.shi@mediatek.com>

Thanks for the patch.
However, Alistair has fixed this issue:
https://lore.kernel.org/all/20220119232139.1125908-1-adelva@google.com/

Thanks,
Miles
diff mbox series

Patch

diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c
index b5a1e3b697d9..581930483ef8 100644
--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -76,7 +76,7 @@  static ssize_t rproc_coredump_write(struct file *filp,
 	int ret, err = 0;
 	char buf[20];
 
-	if (count > sizeof(buf))
+	if (count < 1 || count > sizeof(buf))
 		return -EINVAL;
 
 	ret = copy_from_user(buf, user_buf, count);