Re: [PATCH v3] staging: nvec: validate battery response length before memcpy

Next message: Lad, Prabhakar: "Re: [PATCH 01/14] media: rzg2l-cru: Skip ICnMC configuration when ICnSVC is used"
Previous message: Rong Xu: "Re: [PATCH v7 3/3] kbuild: distributed build support for Clang ThinLTO"
In reply to: Sebastian Josue Alba Vives: "[PATCH v3] staging: nvec: validate battery response length before memcpy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Mon Mar 30 2026 - 11:56:26 EST

On Mon, Mar 30, 2026 at 06:52:00AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84@xxxxxxxxx>
>
> In nvec_power_notifier(), the response length from the embedded
> controller is used directly as the size argument to memcpy() when
> copying battery manufacturer, model, and type strings. The
> destination buffers (bat_manu, bat_model, bat_type) are fixed at
> 30 bytes, but res->length is a u8 that can be up to 255, allowing
> a heap buffer overflow.

How can the embedded controller send data that is not correct? It is
trusted, right?

> Additionally, if res->length is less than 2, the subtraction
> res->length - 2 wraps around as an unsigned value, resulting in a
> large copy that corrupts kernel heap memory.
>
> Introduce NVEC_BAT_STRING_SIZE to replace the hardcoded buffer
> size, store res->length - 2 in a local copy_len variable for
> clarity, and add bounds checks before each memcpy to ensure the
> copy length does not exceed the destination buffer and that
> res->length is at least 2 to prevent unsigned integer underflow.

Is this the only data that needs to be validated from the controller?

> Reported-by: kernel test robot <lkp@xxxxxxxxx>

The kernel test robot did not report these buffer size issues :(

thanks,

greg k-h