The buffer is set to 50 characters. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
To protect from OoB access, check that the input size fit into buffer and
add a zero terminator after copy to the end of the copied data.
Signed-off-by: Markus Burri <markus.bu...@mt.com>
---
arch/powerpc/platforms/powernv/eeh-powernv.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c
b/arch/powerpc/platforms/powernv/eeh-powernv.c
index db3370d1673c..3abee21fdd05 100644
--- a/arch/powerpc/platforms/powernv/eeh-powernv.c
+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c
@@ -73,14 +73,19 @@ static ssize_t pnv_eeh_ei_write(struct file *filp,
char buf[50];
int ret;
+ if (count >= sizeof(buf))
+ return -EINVAL;
+
if (!eeh_ops || !eeh_ops->err_inject)
return -ENXIO;
/* Copy over argument buffer */
- ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
count);
if (!ret)
return -EFAULT;
+ buf[ret] = '\0';
+
/* Retrieve parameters */
ret = sscanf(buf, "%x:%x:%x:%lx:%lx",
&pe_no, &type, &func, &addr, &mask);
--
2.39.5
