s390/debug: Reject zero-length input in debug_input_flush_fn()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.

Reject zero-length writes before copying from userspace.

Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

authored by

Vasily Gorbik and committed by

Alexander Gordeev 1 week ago e14622a7 c366a7b5

1 changed file

expand all

arch

s390

kernel

debug.c

arch/s390/kernel/debug.c

··· 1587 1587 char input_buf[1]; 1588 1588 int rc = user_len; 1589 1589 1590 + if (!user_len) { 1591 + rc = -EINVAL; 1592 + goto out; 1593 + } 1594 + 1590 1595 if (user_len > 0x10000) 1591 1596 user_len = 0x10000; 1592 1597 if (*offset != 0) {

Configure Feed

Configure Feed