{"id":2224257,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2224257/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260417075205.29738-1-pengpeng@iscas.ac.cn/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.2/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<20260417075205.29738-1-pengpeng@iscas.ac.cn>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/20260417075205.29738-1-pengpeng@iscas.ac.cn/","date":"2026-04-17T07:52:05","name":"powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"8e85cf0ab4d08ae95051ef0bf9d7423f5fc7651a","submitter":{"id":93000,"url":"http://patchwork.ozlabs.org/api/1.2/people/93000/?format=json","name":"Pengpeng Hou","email":"pengpeng@iscas.ac.cn"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260417075205.29738-1-pengpeng@iscas.ac.cn/mbox/","series":[{"id":500259,"url":"http://patchwork.ozlabs.org/api/1.2/series/500259/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=500259","date":"2026-04-17T07:52:05","name":"powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()","version":1,"mbox":"http://patchwork.ozlabs.org/series/500259/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224257/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/2224257/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-19823-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=159.226.251.25","lists.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=iscas.ac.cn","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=iscas.ac.cn\n (client-ip=159.226.251.25; helo=cstnet.cn;\n envelope-from=pengpeng@iscas.ac.cn; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)\n server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxnCv2rrPz1yDF\n\tfor ; Fri, 17 Apr 2026 17:52:27 +1000 (AEST)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4fxnCt5G96z2yhP;\n\tFri, 17 Apr 2026 17:52:26 +1000 (AEST)","from cstnet.cn (smtp25.cstnet.cn [159.226.251.25])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4fxnCs4svKz2xpt\n\tfor ; Fri, 17 Apr 2026 17:52:25 +1000 (AEST)","from localhost.localdomain (unknown [111.196.245.116])\n\tby APP-05 (Coremail) with SMTP id zQCowAAHlwqm5uFp1EfYDQ--.22343S2;\n\tFri, 17 Apr 2026 15:52:07 +0800 (CST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1776412346;\n\tcv=none;\n b=S6FPBb98LxTE5q/4cle6on4BnpjE2XeruGGNppunKonUmkc8SATQ533a8GGPqmcyuBwb7GOQQReYiXullY0czjE2Zd+v5nCyyWpfqn9OiPfqh981h85gzqvclzNt+UGHojJlmob/vJMD6lfDW7L/Zz/km8Gx2tPPc79D6d7JYhY1PNnZQHIXfpVmBUDep66DWUHCQYWWb2qWcNqVuoif6oBdUVaBHuxNntc0fF9biNlizvmrnM+4BDrjQdd8LALVbhqEhcV8XBo5wXKP+S3xvMuR7K79mMonOzUZYL3u5/4ivH2eFo8w+40kZNILbL7WInH79oG0Ek9GfELKR5mMmA==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1776412346; c=relaxed/relaxed;\n\tbh=WS7YPZVmugcljsO7oz8p4pAwkAo3QzRxiyGqxUf02hw=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=SWvB4nOnnF2mTrlwK2jKN1Y6+NrstnwmlM6pzNtTmF7CGmVlmszqyAV/N8jTWsOafhfbF9oYELBDMGB7NKyJdm6wQ/BkLfPRtpXZT8xHwgYjx/Rbx1fKchjdwU7o7BiK3GY/WgRieJoGQpXPeGvRWIQAoHW/4zjdirtKYaP2WzjXhXKI37UaYpjadoGWa7Trhw+zRRvKlnSHKX2SVFFGQiOZ3Zp++AvgV8WcCHFUpVcQcTlP6aac2uqnNjDW9loq4PAfE+aokgLTVFkjKQnW92I/YGHZxSc5IrC0u2nTj5duFPgdRxeQrVYe8/fQN/rE6vQcQBglbk/u+lA38wcajw==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=iscas.ac.cn;\n spf=pass (client-ip=159.226.251.25; helo=cstnet.cn;\n envelope-from=pengpeng@iscas.ac.cn;\n receiver=lists.ozlabs.org) smtp.mailfrom=iscas.ac.cn","From":"Pengpeng Hou ","To":"Mahesh J Salgaonkar ,\n\t\"Oliver O'Halloran\" ","Cc":"Madhavan Srinivasan ,\n\tMichael Ellerman ,\n\tNicholas Piggin ,\n\t\"Christophe Leroy (CS GROUP)\" ,\n\tlinuxppc-dev@lists.ozlabs.org,\n\tlinux-kernel@vger.kernel.org,\n\tPengpeng Hou ","Subject":"[PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before\n sscanf()","Date":"Fri, 17 Apr 2026 15:52:05 +0800","Message-ID":"<20260417075205.29738-1-pengpeng@iscas.ac.cn>","X-Mailer":"git-send-email 2.50.1","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"","List-Help":"","List-Owner":"","List-Post":"","List-Archive":",\n ","List-Subscribe":",\n ,\n ","List-Unsubscribe":"","Precedence":"list","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-CM-TRANSID":"zQCowAAHlwqm5uFp1EfYDQ--.22343S2","X-Coremail-Antispam":"1UD129KBjvJXoW7uryxXw15tFWfGryfWry3urg_yoW5JrW7pF\n\tn0kF13Jw4vqrs7tFnIvF45Zr40grs3Jry3K3y8G397Zr13ZrnF9FyUGFyYqrWkXr4xZF40\n\tqrsxCFyqvrnrWw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2\n\t9KBjDU0xBIdaVrnRJUUUkE14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0\n\trVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02\n\t1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U\n\tJVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc\n\tCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E\n\t2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJV\n\tW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_\n\tJw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67\n\tAKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIY\n\trxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_JFI_Gr1lIxAIcVC0I7IYx2IY6xkF7I0E14\n\tv26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Gr0_\n\tCr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUgXo\n\tcUUUUU=","X-Originating-IP":"[111.196.245.116]","X-CM-SenderInfo":"pshqw1xhqjqxpvfd2hldfou0/","X-Spam-Status":"No, score=-0.0 required=3.0 tests=RCVD_IN_DNSWL_NONE,\n\tSPF_HELO_PASS,SPF_PASS autolearn=disabled version=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"eeh_force_recover_write() and pnv_eeh_ei_write() copy raw userspace\nbytes into fixed stack buffers with simple_write_to_buffer() and then\npass those buffers straight to sscanf().\n\nWhen userspace fills the buffer completely, the copied command is not\nNUL-terminated and sscanf() can read past the end of the stack buffer.\n\nReject oversized writes and reserve one byte for a terminating NUL before\nparsing the command string.\n\nFixes: 954bd99435b8 (\"powerpc/eeh: Add eeh_force_recover to debugfs\")\nFixes: 4cf174455899 (\"powerpc/powernv: Drop PHB operation post_init()\")\n\nSigned-off-by: Pengpeng Hou \n---\n arch/powerpc/kernel/eeh.c | 11 +++++++++--\n arch/powerpc/platforms/powernv/eeh-powernv.c | 11 +++++++++--\n 2 files changed, 18 insertions(+), 4 deletions(-)","diff":"diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c\nindex bb836f02101c..681701ffbf33 100644\n--- a/arch/powerpc/kernel/eeh.c\n+++ b/arch/powerpc/kernel/eeh.c\n@@ -1729,11 +1729,18 @@ static ssize_t eeh_force_recover_write(struct file *filp,\n \tuint32_t phbid, pe_no;\n \tstruct eeh_pe *pe;\n \tchar buf[20];\n-\tint ret;\n+\tssize_t ret;\n+\n+\tif (*ppos != 0 || count >= sizeof(buf))\n+\t\treturn -EINVAL;\n \n-\tret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);\n+\tret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,\n+\t\t\t\t count);\n+\tif (ret < 0)\n+\t\treturn ret;\n \tif (!ret)\n \t\treturn -EFAULT;\n+\tbuf[ret] = '\\0';\n \n \t/*\n \t * When PE is NULL the event is a \"special\" event. Rather than\ndiff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c\nindex db3370d1673c..88a4acc11186 100644\n--- a/arch/powerpc/platforms/powernv/eeh-powernv.c\n+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c\n@@ -71,15 +71,22 @@ static ssize_t pnv_eeh_ei_write(struct file *filp,\n \tint pe_no, type, func;\n \tunsigned long addr, mask;\n \tchar buf[50];\n-\tint ret;\n+\tssize_t ret;\n \n \tif (!eeh_ops || !eeh_ops->err_inject)\n \t\treturn -ENXIO;\n \n+\tif (*ppos != 0 || count >= sizeof(buf))\n+\t\treturn -EINVAL;\n+\n \t/* Copy over argument buffer */\n-\tret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);\n+\tret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,\n+\t\t\t\t count);\n+\tif (ret < 0)\n+\t\treturn ret;\n \tif (!ret)\n \t\treturn -EFAULT;\n+\tbuf[ret] = '\\0';\n \n \t/* Retrieve parameters */\n \tret = sscanf(buf, \"%x:%x:%x:%lx:%lx\",\n","prefixes":[]}