On Thu, 8 May 2025 15:06:09 +0200
Markus Burri <markus.bu...@mt.com> wrote:
> The buffer is set to 20 characters. If a caller write more characters,
> count is truncated to the max available space in "simple_write_to_buffer".
> To protect from OoB access, check that the input size fit into buffer and
> add a zero terminator after copy to the end of the copied data.
>
> Signed-off-by: Markus Burri <markus.bu...@mt.com>
I added
Fixes: 6d5dd486c715 ("iio: core: make use of simple_write_to_buffer()")
If it predates that we'll need a manual backport anyway. If you have time to
take a look at that Markus that would be great.
Jonathan
> ---
> drivers/iio/industrialio-core.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index b9f4113ae5fc..ebf17ea5a5f9 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -410,12 +410,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
> char buf[80];
> int ret;
>
> + if (count >= sizeof(buf))
> + return -EINVAL;
> +
> ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
> count);
> if (ret < 0)
> return ret;
>
> - buf[count] = '\0';
> + buf[ret] = '\0';
>
> ret = sscanf(buf, "%i %i", ®, &val);
>
