6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Burri markus.burri@mt.com
commit da9374819eb3885636934c1006d450c3cb1a02ed upstream.
The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". But afterwards a string terminator is written to the buffer at offset count without boundary check. The zero termination is written OUT-OF-BOUND.
Add a check that the given buffer is smaller then the buffer to prevent.
Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer") Signed-off-by: Markus Burri markus.burri@mt.com Reviewed-by: Nuno Sá nuno.sa@analog.com Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com Cc: Stable@vger.kernel.org Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/iio/industrialio-backend.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-backend.c +++ b/drivers/iio/industrialio-backend.c @@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write ssize_t rc; int ret;
+ if (count >= sizeof(buf)) + return -ENOSPC; + rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); if (rc < 0) return rc;
- buf[count] = '\0'; + buf[rc] = '\0';
ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);