The name string supplied by userspace is not guaranteed to be
null-terminated, so using strchr() on it might result in a buffer
overread. The same thing will happen when said string is used by
the LED class device.

Fix this by using strnchr() instead and explicitly check that
the name string is properly null-terminated.

Cc: stable@vger.kernel.org
Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
---
 drivers/leds/uleds.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
index ace71ffc0591..41942cfca705 100644
--- a/drivers/leds/uleds.c
+++ b/drivers/leds/uleds.c
@@ -102,7 +102,8 @@ static ssize_t uleds_write(struct file *file, const char __user *buffer,
 
 	name = udev->user_dev.name;
 	if (!name[0] || !strcmp(name, ".") || !strcmp(name, "..") ||
-	    strchr(name, '/')) {
+	    strnchr(name, sizeof(udev->user_dev.name), '/') ||
+	    !strnchr(name, sizeof(udev->user_dev.name), '\0')) {
 		ret = -EINVAL;
 		goto out;
 	}
-- 
2.39.5

On Mon, 25 May 2026 01:55:53 +0200, Armin Wolf wrote:
> The name string supplied by userspace is not guaranteed to be
> null-terminated, so using strchr() on it might result in a buffer
> overread. The same thing will happen when said string is used by
> the LED class device.
> 
> Fix this by using strnchr() instead and explicitly check that
> the name string is properly null-terminated.
> 
> [...]

Applied, thanks!

[1/1] leds: uleds: Fix potential buffer overread
      commit: 22b69b2c0a5573e58ad66693196fc86369980568

--
Lee Jones [李琼斯]