archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 06:04:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

iio: backend: fix out-of-bound write

Browse source 
The buffer is set to 80 character. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
But afterwards a string terminator is written to the buffer at offset count
without boundary check. The zero termination is written OUT-OF-BOUND.

Add a check that the given buffer is smaller then the buffer to prevent.

Fixes: 035b498921 ("iio: backend: make sure to NULL terminate stack buffer")
Signed-off-by: Markus Burri <markus.burri@mt.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This commit is contained in:
Markus Burri 2025-05-08 15:06:07 +02:00 committed by Jonathan Cameron
parent 19272b37aa
commit da9374819e
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
drivers/iio/industrialio-backend.c
View file

@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file *file,
ssize_t rc;
int ret;
if (count >= sizeof(buf))
return -ENOSPC;
rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
if (rc < 0)
return rc;
buf[count] = '\0';
buf[rc] = '\0';
ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);