The buffer is set to 20 characters. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
To protect from OoB access, check that the input size fit into buffer and
add a zero terminator after copy to the end of the copied data.
Signed-off-by: Markus Burri <markus.bu...@mt.com>
---
arch/powerpc/kernel/eeh.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index 83fe99861eb1..92ef05d3678d 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1734,10 +1734,15 @@ static ssize_t eeh_force_recover_write(struct file
*filp,
char buf[20];
int ret;
- ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+ if (count >= sizeof(buf))
+ return -EINVAL;
+
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
count);
if (!ret)
return -EFAULT;
+ buf[ret] = '\0';
+
/*
* When PE is NULL the event is a "special" event. Rather than
* recovering a specific PE it forces the EEH core to scan for failed
--
2.39.5
