Two EDAC debugfs write handlers copy up to sizeof(buf) bytes into a
fixed-size stack buffer and then unconditionally NUL-terminate it via
buf[len] = '\0'.  When userspace writes >= sizeof(buf) bytes, len
becomes sizeof(buf) and the NUL write lands 1 byte past the end of the
stack buffer.

Fix by clamping the copy length to sizeof(buf) - 1 so that the NUL
terminator is always in-bounds.

Fixes: 3bd2706c910f ("EDAC/zynqmp: Add EDAC support for Xilinx ZynqMP OCM")
Fixes: 83bf24051a60 ("EDAC/versal: Make the bit position of injected errors configurable")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
---
 drivers/edac/versal_edac.c | 2 +-
 drivers/edac/zynqmp_edac.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/edac/versal_edac.c b/drivers/edac/versal_edac.c
index 5a43b5d43ca28027c829f53aea50588297484c5c..917d7d1762aa9ec9f752e8419c24fd265048ff28 100644
--- a/drivers/edac/versal_edac.c
+++ b/drivers/edac/versal_edac.c
@@ -856,7 +856,7 @@ static ssize_t inject_data_ue_store(struct file *file, const char __user *data,
 	u8 len, ue0, ue1;
 	int i, ret;
 
-	len = min_t(size_t, count, sizeof(buf));
+	len = min_t(size_t, count, sizeof(buf) - 1);
 	if (copy_from_user(buf, data, len))
 		return -EFAULT;
 
diff --git a/drivers/edac/zynqmp_edac.c b/drivers/edac/zynqmp_edac.c
index cdffc9e4194d42d4d11c5218c9f341ac46301a94..048a7b9becd622a5eeebf9c893ffdf9e163f5e9b 100644
--- a/drivers/edac/zynqmp_edac.c
+++ b/drivers/edac/zynqmp_edac.c
@@ -304,7 +304,7 @@ static ssize_t inject_ue_write(struct file *file, const char __user *data,
 	if (!data)
 		return -EFAULT;
 
-	len = min_t(size_t, count, sizeof(buf));
+	len = min_t(size_t, count, sizeof(buf) - 1);
 	if (copy_from_user(buf, data, len))
 		return -EFAULT;
 

---
base-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b
change-id: 20260425-edac-stack-off-by-one-f6703cfe8213

Best regards,
-- 
Shengzhuo Wei <me@cherr.cc>

On 4/25/2026 12:19 AM, Shengzhuo Wei wrote:
> [You don't often get email from me@cherr.cc. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Caution: This message originated from an External Source. Use proper caution when opening attachments, clicking links, or responding.
>
>
> Two EDAC debugfs write handlers copy up to sizeof(buf) bytes into a
> fixed-size stack buffer and then unconditionally NUL-terminate it via
> buf[len] = '\0'.  When userspace writes >= sizeof(buf) bytes, len
> becomes sizeof(buf) and the NUL write lands 1 byte past the end of the
> stack buffer.
>
> Fix by clamping the copy length to sizeof(buf) - 1 so that the NUL
> terminator is always in-bounds.
>
> Fixes: 3bd2706c910f ("EDAC/zynqmp: Add EDAC support for Xilinx ZynqMP OCM")
> Fixes: 83bf24051a60 ("EDAC/versal: Make the bit position of injected errors configurable")
> Signed-off-by: Shengzhuo Wei <me@cherr.cc>
> ---

Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>

> From: Shengzhuo Wei <me@cherr.cc>
> Sent: Saturday, April 25, 2026 2:49 AM
> To: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>; Sai Krishna Potthuri
> <sai.krishna.potthuri@amd.com>; Borislav Petkov <bp@alien8.de>; Luck,
> Tony <tony.luck@intel.com>; Michal Simek <michal.simek@amd.com>
> Cc: linux-edac@vger.kernel.org; linux-kernel@vger.kernel.org; linux-arm-
> kernel@lists.infradead.org; Shengzhuo Wei <me@cherr.cc>
> Subject: [PATCH] EDAC/xilinx: Fix stack off-by-one in debugfs UE injection
> handlers
> 
> Two EDAC debugfs write handlers copy up to sizeof(buf) bytes into a fixed-size
> stack buffer and then unconditionally NUL-terminate it via buf[len] = '\0'.
> When userspace writes >= sizeof(buf) bytes, len becomes sizeof(buf) and the
> NUL write lands 1 byte past the end of the stack buffer.
> 
> Fix by clamping the copy length to sizeof(buf) - 1 so that the NUL terminator is
> always in-bounds.
> 
> Fixes: 3bd2706c910f ("EDAC/zynqmp: Add EDAC support for Xilinx ZynqMP
> OCM")
> Fixes: 83bf24051a60 ("EDAC/versal: Make the bit position of injected errors
> configurable")
> Signed-off-by: Shengzhuo Wei <me@cherr.cc>

LGTM,

  Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>