[PATCH] remoteproc: avoid array index out of bounds in debugfs file

Xiaobing shi posted 1 patch 2 years, 5 months ago
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] remoteproc: avoid array index out of bounds in debugfs file
Posted by Xiaobing shi 2 years, 5 months ago
There is a negative offset of an on-stack array that causes an out of
bounds issue when someone called with a zero 'count' argument to
syswrite().

	buf[count - 1]

We should add an extra check in rproc_coredump_write() to prevent the
access.

Signed-off-by: Xiaobing shi <xiaobing.shi@mediatek.com>
---
 drivers/remoteproc/remoteproc_debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c
index b5a1e3b697d9..581930483ef8 100644
--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(struct file *filp,
 	int ret, err = 0;
 	char buf[20];
 
-	if (count > sizeof(buf))
+	if (count < 1 || count > sizeof(buf))
 		return -EINVAL;
 
 	ret = copy_from_user(buf, user_buf, count);
-- 
2.18.0
Re: [PATCH] remoteproc: avoid array index out of bounds in debugfs file
Posted by Miles Chen 2 years, 5 months ago
Hi Xiaobing,

> There is a negative offset of an on-stack array that causes an out of
> bounds issue when someone called with a zero 'count' argument to
> syswrite().
> 
> 	buf[count - 1]
> 
> We should add an extra check in rproc_coredump_write() to prevent the
> access.
> 
> Signed-off-by: Xiaobing shi <xiaobing.shi@mediatek.com>

Thanks for the patch.
However, Alistair has fixed this issue:
https://lore.kernel.org/all/20220119232139.1125908-1-adelva@google.com/

Thanks,
Miles