[PATCH] remoteproc: avoid array index out of bounds in debugfs file
Xiaobing shi
xiaobing.shi at mediatek.com
Mon Mar 28 05:34:13 PDT 2022
There is a negative offset of an on-stack array that causes an out of
bounds issue when someone called with a zero 'count' argument to
syswrite().
buf[count - 1]
We should add an extra check in rproc_coredump_write() to prevent the
access.
Signed-off-by: Xiaobing shi <xiaobing.shi at mediatek.com>
---
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c
index b5a1e3b697d9..581930483ef8 100644
--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(struct file *filp,
int ret, err = 0;
char buf[20];
- if (count > sizeof(buf))
+ if (count < 1 || count > sizeof(buf))
return -EINVAL;
ret = copy_from_user(buf, user_buf, count);
--
2.18.0
More information about the linux-arm-kernel
mailing list