From nobody Tue Jun 16 09:02:32 2026 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D9422E7179 for ; Fri, 17 Apr 2026 15:24:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776439485; cv=none; b=LwTynIjCETjRbG59UcCdITDx+jl6z2YmPR6+IbEzOgz9E4ntrM0lb70BY873adhyLLQY5JeHlG7rAk3WjyWpoROABOn60bnW+7TxVsNuxLVWtE7o1pSbagTM5ZzhUYH1L070cAtcVAUKCcgz83qb3QYmnSPU40eYGUHjc3KUdxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776439485; c=relaxed/simple; bh=tPwzxOzm9uakxuwTOcaC6u3ngixwWgQyrsHL71YIYTU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=GaZkgB1PFG7vC1Ix1C56v5QtHk9QZVGty/o6D+PmSkgab0j2Uk6Ji4Fyn0QIcAh6wROLDORnUA0+q01SWbioy88IDDtMmUazrrwvp9neDB6o7yJaAuBCAteZm9Cj4v++uOBMF8S54DGLS67viGreQ4XRBPLZzmioxNyaU9FYJYw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=SaLAiSti; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="SaLAiSti" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-488b3f8fa2bso17118795e9.1 for ; Fri, 17 Apr 2026 08:24:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1776439482; x=1777044282; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=q2bC6Hz2MAErwrJ8lu8pBzVTd3KLTohmvccUkPb3vXE=; b=SaLAiStiECNPVv7hzFxEBOqpcT1fiu+DRIIMCNwSpG3Z5wFFMg57jhEbP9poaD8K8i B7/GaVuSVDqdFrRbOj7EVgZ3aWEPB7T4g3L0A3mPc16QkXd1YfPxny8/rsUWDswmQRgP /vyldmqxhu8XMKjqwdboBN01kHSXBiiPUtk8cqucxXOZccCZja0Sw3dblmNNqgQ+xFT3 3pRkihQNOsuIiWskdXbEH+Jwi7wt9zToo+uJkKnqSKm+mnLN7FM6x7G5AtcaWOvnQgPO PSuZZsbcJAQt3t16NDalu6tXmGjlJ+jnZ0gm1pe0axNM48814mhEYFvnJ56WtVEQQyC/ bsFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776439482; x=1777044282; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=q2bC6Hz2MAErwrJ8lu8pBzVTd3KLTohmvccUkPb3vXE=; b=edlklHNOg4bEIAP2IcTMlfPuIdTR8HUwkMUmUAmz8tLJLK0TPA80ElgWNmi+kIN/mk wpDUJd+t7Bfq8XTCrPwUip/8DDGlmH+xV6YIJJYr48lkUNTlsPGIORrXk3tjlkUM2qzU losDT3tTEINEmdBR5uRPpNwMyyiEwm5D3GXjirzHOA9VBae5sJAdnw+DCWoo+2wtl5LN 9/Q07ei9w2dQ2esFZSQourGLFsABiz0uTXpBmOwWCiLeU4ExpkPiZYWqt+/mEMOlnACZ 57wXJGaH3AGH8oEiO0tEs83p5OPSbOo0fA6kl8rBRAvu4BafjS7DeNYJJa2bxfmLFyr7 KW3Q== X-Forwarded-Encrypted: i=1; AFNElJ8UiHFnkNAws7102sjbhWeQCW7V4HTbLJuGU7OEkXh/Cy9B3iQJ3t/Lr8rFUepuwkrvZa1jjG308MLKGeM=@vger.kernel.org X-Gm-Message-State: AOJu0YzsI0za5HI3igY5kPRvMGeI2MyR5lNyYd2JfVNk37rJna7WuZjA +rppNjVPtabiXqTGYyjBWnLdhi2H4/p+IfnJunmEucw2ZRbHlS0uxn6MXUAIfxfE6Sk= X-Gm-Gg: AeBDietMugywhPxq9z7nbIxZv/TPIBVOZyZEJe5MgmFo2INbQH/M3gN0M/Omz5awNub lJfiR2YXZCg8gFaCF1U5yWo86PhAi93MXOjdO0gwgDpRZGfqkvtyIVknNhOA2v+9SAZvWxJLKwH wKhGz4Rqavo9exdPolJWOAQFiF5J3WtDGvg1eL6DxSBvBvk2a5HlLBzC3oXwCYwKkURlH53/Hbc ajB//4zuK2VskQcOmtr1gpR/juvF3vKzOir4dfRrnrxDRssX954DUuHkPlfUB9UrebREwlY3jkF XxpnHxDGCo8xdRodYpK45v7eCmqPl++O1XWPlO2yrQSXBVc9lQIx3WSQ12sDjiyBzQaCjA9q8UI cXShGp+IYZIr7RJQeAX113x9bzi/3NfjXImmXPaCpvce3r2Lgwku7365dqp6vydtGb995QTRjGA aZmieycYIPxKOdlvQK8eafIEOvbRQWzypmH0GNcLd7KxhXZBRbMZtD/3yDZPJHvzrDOcEbpPt6R aSjS5aHSULAs6YGtQ== X-Received: by 2002:a05:600c:c0d8:b0:485:fbd2:f72 with SMTP id 5b1f17b1804b1-488fb8838abmr31594955e9.1.1776439482480; Fri, 17 Apr 2026 08:24:42 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb7aa593sm19318855e9.24.2026.04.17.08.24.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Apr 2026 08:24:42 -0700 (PDT) From: Tudor Ambarus Date: Fri, 17 Apr 2026 15:24:39 +0000 Subject: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260417-fix-oob-read-spi-nor-v1-1-2132e61a684a@linaro.org> X-B4-Tracking: v=1; b=H4sIALZQ4mkC/x2MQQqAIBAAvxJ7bkHNivpKdNDcai8aK0QQ/j3pO DAzL2QSpgxz84LQzZlTrKDbBrbTxYOQQ2UwygzK6hF3fjAlj0IuYL4YYxI0vVWT73RQ2kFNL6H q/dtlLeUD/N0NFmYAAAA= X-Change-ID: 20260417-fix-oob-read-spi-nor-25409b31d01a To: Pratyush Yadav , Michael Walle , Takahiro Kuwano , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra Cc: Pratyush Yadav , Michael Walle , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Tudor Ambarus X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1776439482; l=2246; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=tPwzxOzm9uakxuwTOcaC6u3ngixwWgQyrsHL71YIYTU=; b=YEZm7VO5nMzhEC2ZjHHkxyVPrh8RqY7QfAve2g2czKQlHG7IhQzXTiAzdiWNjmv/aHtJCgjXz J7wTQsy5Gv4BqCCXi8QEBKX9Rwd5fEhlGUpMBPbQHGmhGJ31U8ZID0B X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array. Cc: stable@vger.kernel.org Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs") Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004= ebad%40infineon.com [1] Signed-off-by: Tudor Ambarus Reviewed-by: Michael Walle Reviewed-by: Pratyush Yadav Reviewed-by: Takahiro Kuwano --- We shall assign a CVE to this. I'll look into how next week. Link: https://lore.kernel.org/linux-mtd/20260417-die-erase-fix-v2-1-73bb700= 4ebad@infineon.com/ --- drivers/mtd/spi-nor/debugfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e..14ba1680c315 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 =20 +#include #include #include #include @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *= data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); =20 seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); =20 seq_puts(s, "\nopcodes\n"); --- base-commit: 43cfbdda5af60ffc6272a7b8c5c37d1d0a181ca9 change-id: 20260417-fix-oob-read-spi-nor-25409b31d01a Best regards, --=20 Tudor Ambarus