1. Patchew
  2. linux
  3. View series

[PATCH -next] firmware: imx: secure-enclave: bound read copy by user buffer size

Pankaj Gupta posted 1 patch 1 month ago 
drivers/firmware/imx/se_ctrl.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
[PATCH -next] firmware: imx: secure-enclave: bound read copy by user buffer size
Posted by Pankaj Gupta 1 month ago 
se_if_fops_read() copied the full received message to userspace without
checking the size of the user-provided buffer. If the receive message
was larger than the buffer passed to read(), this could overflow user
memory.

Fix this by limiting the copy length to the minimum of the userspace
buffer size and the received message size. Also drop logging on
copy_to_user() failure, as returning -EFAULT is sufficient.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Closes: https://smatch.sourceforge.net/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
 drivers/firmware/imx/se_ctrl.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index d5cc37273d8e..3a1e0c6a942b 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -799,6 +799,7 @@ static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
 {
 	struct se_if_device_ctx *dev_ctx = fp->private_data;
 	struct se_if_priv *priv = dev_ctx->priv;
+	size_t copy_len;
 	int err;
 
 	dev_dbg(priv->dev, "%s: read to buf %p(%zu), ppos=%lld.", dev_ctx->devname,
@@ -831,14 +832,13 @@ static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
 				     priv->cmd_receiver_clbk_hdl.rx_msg_sz,
 				     false);
 
-		if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg,
-				 priv->cmd_receiver_clbk_hdl.rx_msg_sz)) {
-			dev_err(priv->dev, "%s: Failed to copy to user.",
-				dev_ctx->devname);
+		copy_len = min_t(size_t, size, priv->cmd_receiver_clbk_hdl.rx_msg_sz);
+
+		if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg, copy_len))
 			err = -EFAULT;
-		} else {
-			err = priv->cmd_receiver_clbk_hdl.rx_msg_sz;
-		}
+		else
+			err = copy_len;
+
 exit:
 		priv->cmd_receiver_clbk_hdl.rx_msg_sz = 0;
 
-- 
2.43.0
Re: [PATCH -next] firmware: imx: secure-enclave: bound read copy by user buffer size
Posted by Frank Li 1 month ago 
On Thu, 07 May 2026 19:00:16 +0530, Pankaj Gupta wrote:
> se_if_fops_read() copied the full received message to userspace without
> checking the size of the user-provided buffer. If the receive message
> was larger than the buffer passed to read(), this could overflow user
> memory.
>
> Fix this by limiting the copy length to the minimum of the userspace
> buffer size and the received message size. Also drop logging on
> copy_to_user() failure, as returning -EFAULT is sufficient.
>
> [...]

Applied, thanks!

[1/1] firmware: imx: secure-enclave: bound read copy by user buffer size
change min_t() to min() and squash to
4de71839142b ("firmware: drivers: imx: adds miscdev")

Best regards,
--
Frank Li <Frank.Li@nxp.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.