[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Michael Walle
michael at walle.cc
Tue Apr 21 04:31:25 PDT 2026
On Fri Apr 17, 2026 at 5:24 PM CEST, Tudor Ambarus wrote:
> Sashiko noticed an out-of-bounds read [1].
>
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
>
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
> (element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
>
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
>
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
>
> Cc: stable at vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus at linaro.org>
Reviewed-by: Michael Walle <mwalle at kernel.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-mtd/attachments/20260421/9f1d8100/attachment.sig>
More information about the linux-mtd
mailing list