Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2224564/?format=api
{ "id": 2224564, "url": "http://patchwork.ozlabs.org/api/patches/2224564/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260417-fix-oob-read-spi-nor-v1-1-2132e61a684a@linaro.org/", "project": { "id": 3, "url": "http://patchwork.ozlabs.org/api/projects/3/?format=api", "name": "Linux MTD development", "link_name": "linux-mtd", "list_id": "linux-mtd.lists.infradead.org", "list_email": "linux-mtd@lists.infradead.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260417-fix-oob-read-spi-nor-v1-1-2132e61a684a@linaro.org>", "list_archive_url": null, "date": "2026-04-17T15:24:39", "name": "mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "c6dc6a712589705af05dfee8b483d0a2d24919d8", "submitter": { "id": 85360, "url": "http://patchwork.ozlabs.org/api/people/85360/?format=api", "name": "Tudor Ambarus", "email": "tudor.ambarus@linaro.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260417-fix-oob-read-spi-nor-v1-1-2132e61a684a@linaro.org/mbox/", "series": [ { "id": 500365, "url": "http://patchwork.ozlabs.org/api/series/500365/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/list/?series=500365", "date": "2026-04-17T15:24:39", "name": "mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500365/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224564/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224564/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=pCvqS7Qn;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=u8u9ixX/;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxzGK34Gvz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 01:25:08 +1000 (AEST)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wDl3o-00000004CrP-2xg8;\n\tFri, 17 Apr 2026 15:24:48 +0000", "from mail-wm1-x329.google.com ([2a00:1450:4864:20::329])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wDl3k-00000004Cr2-2AJb\n\tfor linux-mtd@lists.infradead.org;\n\tFri, 17 Apr 2026 15:24:45 +0000", "by mail-wm1-x329.google.com with SMTP id\n 5b1f17b1804b1-482f454be5bso18845515e9.0\n for <linux-mtd@lists.infradead.org>;\n Fri, 17 Apr 2026 08:24:43 -0700 (PDT)", "from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.\n [104.155.83.17])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fb7aa593sm19318855e9.24.2026.04.17.08.24.42\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 08:24:42 -0700 (PDT)" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:Cc:To:Message-Id:MIME-Version:Subject:\n\tDate:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=KNPwhoJCjHQ/iJbrhXPxyplW15/ENniujNpS8Kxv2yk=; b=pCvqS7QnULXls4\n\tOpbkVrustUEC5be65Ts0CGyohrybSeEbW7z98keWs1417LT+L0qgUcd6aIGzwsPlgTOfKJ/LAj+PX\n\tV2YdgT/R3nvDgxJLMTlPUJdBa82QjKIoTPL26WKRv0So5xzqF+B0ciy5e8/RPrnXyGoNK+hkGd9iP\n\t8QSaJ9ktz/eVTtn0NAJwFN1bS7Km95AjniWvvNsCsGEwLg/E9cVWJoGhJ3KbqVkz72jeVSHEI3k5l\n\tZnvAUE94qpyvGMOus6UH2pDyJizHTfjyIwXdwntwtUHV2rMSdB3snQ2g/LYEmyhoCQ6N2vbnN7gtu\n\tHQpQ9IWqPYqtdZ3KKUfQ==;", "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776439482; x=1777044282;\n darn=lists.infradead.org;\n h=cc:to:message-id:content-transfer-encoding:mime-version:subject\n :date:from:from:to:cc:subject:date:message-id:reply-to;\n bh=q2bC6Hz2MAErwrJ8lu8pBzVTd3KLTohmvccUkPb3vXE=;\n b=u8u9ixX/ndJl9G2sBDRI4DtfJBqPpPRqLXYk7Jv3S/3YkU3+KPzSVIw4sYjJsF7TJ6\n dSbErorHJVZOp3f4xv4MNpOykovvYenHX/IKWDES9jcnHBRQ0yapo9oq9Wtbpja5lpyc\n QxvM+rtLh+Mzu0G+4jF0OsqWhAgP8hg1diPM2ctwW1j4QEKxpMG93o++jEbYxD0D3QyG\n xHhhfu1SFez247xUnuX/nGYAEnAOC+HAyJjNnoXbl/Zk6W4ZYeQhgw1vB8JIeHYA3lbl\n pbQWRSrVMYcoe21fOWSv6f5kupvD/oVPwHWuO1cpWozQWr5h4KIM6jS9djFQMZj+jXs0\n AcIw==" ], "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776439482; x=1777044282;\n h=cc:to:message-id:content-transfer-encoding:mime-version:subject\n :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=q2bC6Hz2MAErwrJ8lu8pBzVTd3KLTohmvccUkPb3vXE=;\n b=C1oRpg4e+jCXczw527MSf9cade37xSC6aU8jrRAFWCyZuZugwmjbbxaW43Z7dPSQRR\n CDl1Es5aQKs4nTqDaQvdzG97FAyD9g12aJY8N7FXYpi0EoaP64kLy4ZnpWhlZjIliDNh\n rj6KVAMgI4La6MHppbB1e/UCkwDolzdpT6aepR0+v2Gf37yoY2iUzMbmePKbQJyOWaXN\n kxgPmaDgs+qCNWqLt1oNHbp26my3zkj4QSQMsbLXGANEyGzVTlGP4cX6L3M4FcqxdB/K\n YrsR/Wo/VnH3/DVUXOj7rRmnRDhPgcAxd0ooz3iYBxL0Bu1zN4KOS/dF+kPxaIFkKU74\n FFjg==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ85WCclF2dS5K1xNRBdDoWQsagybUeKAXNsc3pTSSQfBaxQYWF1Deg8dSq9DkPDh27E8fTat++UQZY=@lists.infradead.org", "X-Gm-Message-State": "AOJu0YxJTvZR6JEHJ9AemDdMAQJ4Jy2fI6fQ6hU+hnJR81+8lDrHYSgl\n\tR6ulgDgHaIeN+EKOITFkenjjcXtMfIxtgWEIyMVT0N7OJ43m06YFnPItBON8/3TxKj8=", "X-Gm-Gg": "AeBDiesNdGjNii90DKLxsOdUHcZ6NpfeeFaqvmQewlAib84Jva37xWj3tJYGT7YD5w7\n\tKCKrQJNONh6VHbyCobL3xYwtO6pb7I5cIB+Z8yBHJJSguzDmCuT4djafUrRKMEmLyfst34d6PW+\n\tN+ucYC/nYm4wFol9bQ3YbNDmE13lFNrQhzCBOwYtUEfOp5FlEF/8YgRckuLZUlbiOaAvSxNdnEu\n\t0F8YoDnsSgQK+R2l97DlCyfBBR8zfoVR5v/oiQhpEiX8XYMH5BTqohwdUd/hMtVL5FD1xyc5u43\n\trCjyMM4iVM+0QEsczfPbnRavTU+KHeNgGGmheZOSfD1acf+a32npnGqYroVPDOf2yXR6GDpsj1c\n\tTrCLjV+9A7Z2WIrYimu9We5R7QeBjriGzEsbpquUfe2ZUevnscFc58MDxagc0dXGITcJdwHvVAa\n\tNhBfBJFvKMrQysUyzD3GKaEiujkiOPqOO+yTwu3+BXbec7tCGMmnTmVJ4NuK6AVgtsVG0nrzAbg\n\tGjK32UttFJVW1IrJg==", "X-Received": "by 2002:a05:600c:c0d8:b0:485:fbd2:f72 with SMTP id\n 5b1f17b1804b1-488fb8838abmr31594955e9.1.1776439482480;\n Fri, 17 Apr 2026 08:24:42 -0700 (PDT)", "From": "Tudor Ambarus <tudor.ambarus@linaro.org>", "Date": "Fri, 17 Apr 2026 15:24:39 +0000", "Subject": "[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in\n spi_nor_params_show()", "MIME-Version": "1.0", "Message-Id": "<20260417-fix-oob-read-spi-nor-v1-1-2132e61a684a@linaro.org>", "X-B4-Tracking": "v=1; b=H4sIALZQ4mkC/x2MQQqAIBAAvxJ7bkHNivpKdNDcai8aK0QQ/j3pO\n DAzL2QSpgxz84LQzZlTrKDbBrbTxYOQQ2UwygzK6hF3fjAlj0IuYL4YYxI0vVWT73RQ2kFNL6H\n q/dtlLeUD/N0NFmYAAAA=", "X-Change-ID": "20260417-fix-oob-read-spi-nor-25409b31d01a", "To": "Pratyush Yadav <pratyush@kernel.org>, Michael Walle <mwalle@kernel.org>,\n Takahiro Kuwano <takahiro.kuwano@infineon.com>,\n Miquel Raynal <miquel.raynal@bootlin.com>,\n Richard Weinberger <richard@nod.at>, Vignesh Raghavendra <vigneshr@ti.com>", "Cc": "Pratyush Yadav <p.yadav@ti.com>, Michael Walle <michael@walle.cc>,\n linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,\n stable@vger.kernel.org, Tudor Ambarus <tudor.ambarus@linaro.org>", "X-Mailer": "b4 0.14.3", "X-Developer-Signature": "v=1; a=ed25519-sha256; t=1776439482; l=2246;\n i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;\n bh=tPwzxOzm9uakxuwTOcaC6u3ngixwWgQyrsHL71YIYTU=;\n b=YEZm7VO5nMzhEC2ZjHHkxyVPrh8RqY7QfAve2g2czKQlHG7IhQzXTiAzdiWNjmv/aHtJCgjXz\n J7wTQsy5Gv4BqCCXi8QEBKX9Rwd5fEhlGUpMBPbQHGmhGJ31U8ZID0B", "X-Developer-Key": "i=tudor.ambarus@linaro.org; a=ed25519;\n pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260417_082444_615051_CBB548B0 ", "X-CRM114-Status": "GOOD ( 12.30 )", "X-Spam-Score": "-2.1 (--)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: Sashiko noticed an out-of-bounds read [1]. In\n spi_nor_params_show(),\n the snor_f_names array is passed to spi_nor_print_flags() using\n sizeof(snor_f_names).\n Since snor_f_names is an array of pointers,\n sizeof() returns the total number\n of bytes occupied by the pointers (element_count * sizeof(void *)) rather\n than the element count itself. On 64-bit systems [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2a00:1450:4864:20:0:0:0:329 listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]", "X-BeenThere": "linux-mtd@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/linux-mtd/>", "List-Post": "<mailto:linux-mtd@lists.infradead.org>", "List-Help": "<mailto:linux-mtd-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"linux-mtd\" <linux-mtd-bounces@lists.infradead.org>", "Errors-To": "linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "Sashiko noticed an out-of-bounds read [1].\n\nIn spi_nor_params_show(), the snor_f_names array is passed to\nspi_nor_print_flags() using sizeof(snor_f_names).\n\nSince snor_f_names is an array of pointers, sizeof() returns the total\nnumber of bytes occupied by the pointers\n\t(element_count * sizeof(void *))\nrather than the element count itself. On 64-bit systems, this makes the\npassed length 8x larger than intended.\n\nInside spi_nor_print_flags(), the 'names_len' argument is used to\nbounds-check the 'names' array access. An out-of-bounds read occurs\nif a flag bit is set that exceeds the array's actual element count\nbut is within the inflated byte-size count.\n\nCorrect this by using ARRAY_SIZE() to pass the actual number of\nstring pointers in the array.\n\nCc: stable@vger.kernel.org\nFixes: 0257be79fc4a (\"mtd: spi-nor: expose internal parameters via debugfs\")\nCloses: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]\nSigned-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>\n---\nWe shall assign a CVE to this. I'll look into how next week.\n\nLink: https://lore.kernel.org/linux-mtd/20260417-die-erase-fix-v2-1-73bb7004ebad@infineon.com/\n---\n drivers/mtd/spi-nor/debugfs.c | 4 +++-\n 1 file changed, 3 insertions(+), 1 deletion(-)\n\n\n---\nbase-commit: 43cfbdda5af60ffc6272a7b8c5c37d1d0a181ca9\nchange-id: 20260417-fix-oob-read-spi-nor-25409b31d01a\n\nBest regards,", "diff": "diff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c\nindex fa6956144d2e..14ba1680c315 100644\n--- a/drivers/mtd/spi-nor/debugfs.c\n+++ b/drivers/mtd/spi-nor/debugfs.c\n@@ -1,5 +1,6 @@\n // SPDX-License-Identifier: GPL-2.0\n \n+#include <linux/array_size.h>\n #include <linux/debugfs.h>\n #include <linux/mtd/spi-nor.h>\n #include <linux/spi/spi.h>\n@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data)\n \tseq_printf(s, \"address nbytes\\t%u\\n\", nor->addr_nbytes);\n \n \tseq_puts(s, \"flags\\t\\t\");\n-\tspi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));\n+\tspi_nor_print_flags(s, nor->flags, snor_f_names,\n+\t\t\t ARRAY_SIZE(snor_f_names));\n \tseq_puts(s, \"\\n\");\n \n \tseq_puts(s, \"\\nopcodes\\n\");\n", "prefixes": [] }