Re: [PATCH] RDMA/ionic: bound node_desc sysfs read with %.64s

Next message: Jonathan Corbet: "Re: [PATCH] tracing: Documentation: Update histogram-design.rst for fn() handling"
Previous message: Hungyu Lin: "[PATCH v2 2/2] staging: sm750fb: propagate error codes from de_wait()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Thu Apr 09 2026 - 11:59:59 EST

On Tue, Apr 07, 2026 at 12:20:22PM +0300, Kai Zen wrote:
> node_desc[64] in struct ib_device is not guaranteed to be NUL-
> terminated. The core IB sysfs handler uses "%.64s" for exactly this
> reason (drivers/infiniband/core/sysfs.c:1307), since node_desc_store()
> performs a raw memcpy of up to IB_DEVICE_NODE_DESC_MAX bytes with no
> NUL termination:
>
> memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
>
> If exactly 64 bytes are written via the node_desc sysfs file, the
> array contains no NUL byte. The ionic hca_type_show() handler uses
> unbounded "%s" and will read past the end of node_desc into adjacent
> fields of struct ib_device until it encounters a NUL.
>
> Match the core handler and bound the format specifier.
>
> Verified against torvalds/linux.git master at bfe62a45.
>
> Signed-off-by: Kai Aizen <kai.aizen.dev@xxxxxxxxx>
> ---
> drivers/infiniband/hw/ionic/ionic_ibdev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Your diff is malformed but I fixed it up and added a Fixes tag.

Thanks,
Jason