From nobody Tue Jun 16 07:38:18 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F04534CFC0 for ; Fri, 17 Apr 2026 07:52:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776412349; cv=none; b=ljtRZCe8c9CTyT+vCOobBn//z7C+U5PaH6a9AS4WcQbP+SwQifAySuXUwXpulBpIc9vBKyhYrKKxK04Qu8RMMSZwJW9GKO1lkOC9PteO9wX+vlJ0hlFNgGKI9IOzGnThBWpNUnEz1/Jn33z/aBG/mGkom2YHWhAxJ52cNBMvDJM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776412349; c=relaxed/simple; bh=TPG84cI8dak8qYeo4xhN9WZARcY1kni7qpoxIwm7XZw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FrwbT/g+Fh9ytwlUNw8io2dKVwTDoMJuionsGvmHiP3UHYKGmU78gVmPgULSEa5ARyRtZfh0MHBikhdIehf57Wxfe6gTJTyLMBfFnD/Jz8SQMXaG9HQgM7hKViIyviVdBr06jKTsOVy4K0MUdpJZwgptAlFnmRgPqLpn3/49sBc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.116]) by APP-05 (Coremail) with SMTP id zQCowAAHlwqm5uFp1EfYDQ--.22343S2; Fri, 17 Apr 2026 15:52:07 +0800 (CST) From: Pengpeng Hou To: Mahesh J Salgaonkar , "Oliver O'Halloran" Cc: Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , "Christophe Leroy (CS GROUP)" , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Pengpeng Hou Subject: [PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before sscanf() Date: Fri, 17 Apr 2026 15:52:05 +0800 Message-ID: <20260417075205.29738-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowAAHlwqm5uFp1EfYDQ--.22343S2 X-Coremail-Antispam: 1UD129KBjvJXoW7uryxXw15tFWfGryfWry3urg_yoW5JrW7pF n0kF13Jw4vqrs7tFnIvF45Zr40grs3Jry3K3y8G397Zr13ZrnF9FyUGFyYqrWkXr4xZF40 qrsxCFyqvrnrWw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkE14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_ Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67 AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIY rxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_JFI_Gr1lIxAIcVC0I7IYx2IY6xkF7I0E14 v26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Gr0_ Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUgXo cUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" eeh_force_recover_write() and pnv_eeh_ei_write() copy raw userspace bytes into fixed stack buffers with simple_write_to_buffer() and then pass those buffers straight to sscanf(). When userspace fills the buffer completely, the copied command is not NUL-terminated and sscanf() can read past the end of the stack buffer. Reject oversized writes and reserve one byte for a terminating NUL before parsing the command string. Fixes: 954bd99435b8 ("powerpc/eeh: Add eeh_force_recover to debugfs") Fixes: 4cf174455899 ("powerpc/powernv: Drop PHB operation post_init()") Signed-off-by: Pengpeng Hou --- arch/powerpc/kernel/eeh.c | 11 +++++++++-- arch/powerpc/platforms/powernv/eeh-powernv.c | 11 +++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c index bb836f02101c..681701ffbf33 100644 --- a/arch/powerpc/kernel/eeh.c +++ b/arch/powerpc/kernel/eeh.c @@ -1729,11 +1729,18 @@ static ssize_t eeh_force_recover_write(struct file = *filp, uint32_t phbid, pe_no; struct eeh_pe *pe; char buf[20]; - int ret; + ssize_t ret; + + if (*ppos !=3D 0 || count >=3D sizeof(buf)) + return -EINVAL; =20 - ret =3D simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count); + ret =3D simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, + count); + if (ret < 0) + return ret; if (!ret) return -EFAULT; + buf[ret] =3D '\0'; =20 /* * When PE is NULL the event is a "special" event. Rather than diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/pl= atforms/powernv/eeh-powernv.c index db3370d1673c..88a4acc11186 100644 --- a/arch/powerpc/platforms/powernv/eeh-powernv.c +++ b/arch/powerpc/platforms/powernv/eeh-powernv.c @@ -71,15 +71,22 @@ static ssize_t pnv_eeh_ei_write(struct file *filp, int pe_no, type, func; unsigned long addr, mask; char buf[50]; - int ret; + ssize_t ret; =20 if (!eeh_ops || !eeh_ops->err_inject) return -ENXIO; =20 + if (*ppos !=3D 0 || count >=3D sizeof(buf)) + return -EINVAL; + /* Copy over argument buffer */ - ret =3D simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count); + ret =3D simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, + count); + if (ret < 0) + return ret; if (!ret) return -EFAULT; + buf[ret] =3D '\0'; =20 /* Retrieve parameters */ ret =3D sscanf(buf, "%x:%x:%x:%lx:%lx", --=20 2.50.1 (Apple Git-155)