mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Tudor Ambarus 1 month, 4 weeks ago

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
	(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.

Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
We shall assign a CVE to this. I'll look into how next week.

Link: https://lore.kernel.org/linux-mtd/20260417-die-erase-fix-v2-1-73bb7004ebad@infineon.com/
---
 drivers/mtd/spi-nor/debugfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c
index fa6956144d2e..14ba1680c315 100644
--- a/drivers/mtd/spi-nor/debugfs.c
+++ b/drivers/mtd/spi-nor/debugfs.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 
+#include <linux/array_size.h>
 #include <linux/debugfs.h>
 #include <linux/mtd/spi-nor.h>
 #include <linux/spi/spi.h>
@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data)
 	seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);
 
 	seq_puts(s, "flags\t\t");
-	spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
+	spi_nor_print_flags(s, nor->flags, snor_f_names,
+			    ARRAY_SIZE(snor_f_names));
 	seq_puts(s, "\n");
 
 	seq_puts(s, "\nopcodes\n");

---
base-commit: 43cfbdda5af60ffc6272a7b8c5c37d1d0a181ca9
change-id: 20260417-fix-oob-read-spi-nor-25409b31d01a

Best regards,
-- 
Tudor Ambarus <tudor.ambarus@linaro.org>

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Miquel Raynal 1 month, 2 weeks ago

On Fri, 17 Apr 2026 15:24:39 +0000, Tudor Ambarus wrote:
> Sashiko noticed an out-of-bounds read [1].
> 
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
> 
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
> 	(element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
> 
> [...]

Applied to mtd/fixes, thanks!

[1/1] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
      commit: e47029b977e747cb3a9174308fd55762cce70147

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl

RE: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Takahiro.Kuwano@infineon.com 1 month, 3 weeks ago

> Sashiko noticed an out-of-bounds read [1].
> 
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
> 
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
>         (element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
> 
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
> 
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
> 
> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>

Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Michael Walle 1 month, 3 weeks ago

On Fri Apr 17, 2026 at 5:24 PM CEST, Tudor Ambarus wrote:
> Sashiko noticed an out-of-bounds read [1].
>
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
>
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
> 	(element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
>
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
>
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
>
> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>

Reviewed-by: Michael Walle <mwalle@kernel.org>

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Miquel Raynal 1 month, 3 weeks ago

Hi Tudor,

On 17/04/2026 at 15:24:39 GMT, Tudor Ambarus <tudor.ambarus@linaro.org> wrote:

> Sashiko noticed an out-of-bounds read [1].

[...]

> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
> ---
> We shall assign a CVE to this. I'll look into how next week.

They are assigned automatically to every fix, no?

If spi-nor folks want to ack, I might take it through an mtd/fixes PR.

Thanks,
Miquèl

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Tudor Ambarus 1 month, 3 weeks ago


On 4/21/26 10:35 AM, Miquel Raynal wrote:
>> We shall assign a CVE to this. I'll look into how next week.
> They are assigned automatically to every fix, no?

Indeed, it seems there's a dedicated team assigning CVEs to
security bugs, I didn't know:
https://docs.kernel.org/process/cve.html

Cheers,
ta

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Posted by Pratyush Yadav 1 month, 3 weeks ago

On Tue, Apr 21 2026, Miquel Raynal wrote:

> Hi Tudor,
>
> On 17/04/2026 at 15:24:39 GMT, Tudor Ambarus <tudor.ambarus@linaro.org> wrote:
>
>> Sashiko noticed an out-of-bounds read [1].
>
> [...]
>
>> Cc: stable@vger.kernel.org
>> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
>> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
>> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
>> ---
>> We shall assign a CVE to this. I'll look into how next week.
>
> They are assigned automatically to every fix, no?
>
> If spi-nor folks want to ack, I might take it through an mtd/fixes PR.

Reviewed-by: Pratyush Yadav <pratyush@kernel.org>

Please do. Thanks!

-- 
Regards,
Pratyush Yadav