s390/debug: reject zero-length input before trimming a newline

[PATCH] s390/debug: reject zero-length input before trimming a newline

Posted by Pengpeng Hou 1 month, 4 weeks ago

debug_get_user_string() duplicates the userspace buffer with
memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
to strip a trailing newline.

A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.

Reject empty writes before accessing the last input byte.

Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/s390/kernel/debug.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 31430e9bcfdd..2612f634e826 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1414,6 +1414,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
 {
 	char *buffer;
 
+	if (!user_len)
+		return ERR_PTR(-EINVAL);
+
 	buffer = memdup_user_nul(user_buf, user_len);
 	if (IS_ERR(buffer))
 		return buffer;
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] s390/debug: reject zero-length input before trimming a newline

Posted by Vasily Gorbik 1 month, 4 weeks ago

On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
> 
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
> 
> Reject empty writes before accessing the last input byte.
> 
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  arch/s390/kernel/debug.c | 3 +++
>  1 file changed, 3 insertions(+)

Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>

Added
Cc: stable@vger.kernel.org

And applied, thank you!

I've also addressed Sashiko's complaint [1] about debug_input_flush_fn()
as a separate patch.

[1] https://sashiko.dev/#/patchset/20260417073530.96002-1-pengpeng%40iscas.ac.cn

Re: [PATCH] s390/debug: reject zero-length input before trimming a newline

Posted by Benjamin Block 1 month, 4 weeks ago

On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
> 
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
> 
> Reject empty writes before accessing the last input byte.
> 
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
> 

There shouldn't be a blank line here.

> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  arch/s390/kernel/debug.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
> index 31430e9bcfdd..2612f634e826 100644
> --- a/arch/s390/kernel/debug.c
> +++ b/arch/s390/kernel/debug.c
> @@ -1414,6 +1414,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
>  {
>  	char *buffer;
>  
> +	if (!user_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	buffer = memdup_user_nul(user_buf, user_len);
>  	if (IS_ERR(buffer))
>  		return buffer;

Otherwise this looks good to me.


Reviewed-by: Benjamin Block <bblock@linux.ibm.com>

-- 
Best Regards, Benjamin Block        /        Linux on IBM Z Kernel Development
IBM Deutschland Research & Development GmbH    /   https://www.ibm.com/privacy
Vors. Aufs.-R.: Wolfgang Wendt         /        Geschäftsführung: David Faller
Sitz der Ges.: Ehningen     /     Registergericht: AmtsG Stuttgart, HRB 243294