From nobody Thu Apr 2 12:31:15 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B7B14A33 for ; Sun, 29 Mar 2026 03:09:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774753799; cv=none; b=fME01t6RlWbTk52vbjN5GcCOihprDL9eupM4c12yxj7MQvd/U42Zeey7osZSRd0xITaGZfpwUZnvcar6uxyZ/PX2BgwfbXhwXWAMmUsheH0snodWDDFUuvTWo8850Al7fr9nLoOVqtJ2l4hj/m/9ZbNLZGEKi71P8FtvS8klzjk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774753799; c=relaxed/simple; bh=WSg0JFR0G/bDcwdqe9beupD249oznpFOw/BIcDGVww0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mfrnMxVkWwsfnlhkM07cRFRKh9EYTB/+VQ3iUdXN+NUd2mQrZSlDGaVcCEqf/wrFFLjw6UBrcZbSAxjD32vzcmec9fR/ixGQx371yeWsfZzg3w1zPgr4KAiCYo+ZjHyrRpbq2nbB3b65FV7NgDz3gtyY13lZcz4waWtvnJtC+FY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowABXAW36l8hpmOd8Cw--.810S2; Sun, 29 Mar 2026 11:09:46 +0800 (CST) From: Pengpeng Hou To: linux@armlinux.org.uk Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH] ARM: rpc: ecard: bound variable-length chunk reads Date: Sun, 29 Mar 2026 11:09:46 +0800 Message-ID: <20260329030946.32386-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qwCowABXAW36l8hpmOd8Cw--.810S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZry7Aw48Ww48AFWDKF4xCrg_yoWDurb_Ar 92y3WDW340yFnFvw1YkrWrKryjgw18GF1DWrW7Aw15Ka98XryxZa93trnIy34UJrW09F43 ta1fJayYyw13CjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbwAFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26F4UJV W0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCF04k20xvY0x0EwIxG rwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4 vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IY x2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26c xKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAF wI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUkKsUUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" ecard_readchunk() reads variable-length string chunk payloads into a fixed = 256-byte local buffer without checking whether the encoded chunk length act= ually fits. Treat overlong string chunks as invalid and terminate accepted ones before = copying them into the exported chunk directory buffer. Signed-off-by: Pengpeng Hou --- arch/arm/mach-rpc/ecard.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm/mach-rpc/ecard.c b/arch/arm/mach-rpc/ecard.c index 972465840548..1340ef0364f8 100644 --- a/arch/arm/mach-rpc/ecard.c +++ b/arch/arm/mach-rpc/ecard.c @@ -367,9 +367,12 @@ int ecard_readchunk(struct in_chunk_dir *cd, ecard_t *= ec, int id, int num) if (c_id(&excd) & 0x80) { switch (c_id(&excd) & 0x70) { case 0x70: + if (c_len(&excd) >=3D sizeof(excd.d.string)) + return 0; ecard_readbytes((unsigned char *)excd.d.string, ec, (int)c_start(&excd), c_len(&excd), useld); + excd.d.string[c_len(&excd)] =3D '\0'; break; case 0x00: break; --=20 2.50.1 (Apple Git-155)