| Message ID | 20230629155122.539186-1-yguoaz@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] EDAC/zynqmp: Fix an off-by-one buffer overrun in inject_ue_write | expand |
> -----Original Message----- > From: Yiyuan Guo <yguoaz@gmail.com> > Sent: Thursday, June 29, 2023 9:21 PM > To: Datta, Shubhrajyoti <shubhrajyoti.datta@amd.com>; Potthuri, Sai Krishna > <sai.krishna.potthuri@amd.com> > Cc: bp@alien8.de; tony.luck@intel.com; james.morse@arm.com; > mchehab@kernel.org; rric@kernel.org; Simek, Michal > <michal.simek@amd.com>; linux-edac@vger.kernel.org; linux-arm- > kernel@lists.infradead.org; yguoaz@gmail.com > Subject: [PATCH v2] EDAC/zynqmp: Fix an off-by-one buffer overrun in > inject_ue_write > > inject_ue_write() may access a local buffer `buf` at index `len = sizeof(buf)`. Fix > the length value to avoid buffer overrun. > > Signed-off-by: Yiyuan Guo <yguoaz@gmail.com> Reviewed-by: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com> > --- > drivers/edac/zynqmp_edac.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/edac/zynqmp_edac.c b/drivers/edac/zynqmp_edac.c index > ac7d1e0b324c..bd9c1ff4b5e9 100644 > --- a/drivers/edac/zynqmp_edac.c > +++ b/drivers/edac/zynqmp_edac.c > @@ -304,7 +304,7 @@ static ssize_t inject_ue_write(struct file *file, const char > __user *data, > if (!data) > return -EFAULT; > > - len = min_t(size_t, count, sizeof(buf)); > + len = min_t(size_t, count, sizeof(buf) - 1); > if (copy_from_user(buf, data, len)) > return -EFAULT; > > -- > 2.25.1
diff --git a/drivers/edac/zynqmp_edac.c b/drivers/edac/zynqmp_edac.c index ac7d1e0b324c..bd9c1ff4b5e9 100644 --- a/drivers/edac/zynqmp_edac.c +++ b/drivers/edac/zynqmp_edac.c @@ -304,7 +304,7 @@ static ssize_t inject_ue_write(struct file *file, const char __user *data, if (!data) return -EFAULT; - len = min_t(size_t, count, sizeof(buf)); + len = min_t(size_t, count, sizeof(buf) - 1); if (copy_from_user(buf, data, len)) return -EFAULT;
inject_ue_write() may access a local buffer `buf` at index `len = sizeof(buf)`. Fix the length value to avoid buffer overrun. Signed-off-by: Yiyuan Guo <yguoaz@gmail.com> --- drivers/edac/zynqmp_edac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)