[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Takahiro.Kuwano at infineon.com
Takahiro.Kuwano at infineon.com
Tue Apr 21 07:32:45 PDT 2026
> Sashiko noticed an out-of-bounds read [1].
>
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
>
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
> (element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
>
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
>
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
>
> Cc: stable at vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus at linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano at infineon.com>
More information about the linux-mtd
mailing list