Re: [PATCH 2/4] sparc: led: reject zero-length proc writes
From: Andreas Larsson
Date: Fri Jun 12 2026 - 08:24:09 EST
On 2026-03-30 08:29, Pengpeng Hou wrote:
> led_proc_write() passes count straight through memdup_user_nul() and then
> unconditionally inspects buf[count - 1] to strip a trailing newline. A
> zero-length write therefore dereferences one byte before the allocated
> buffer.
>
> Reject empty writes before touching buf[count - 1].
>
> Fixes: ee1858d3122d ("[SPARC]: Add sun4m LED driver.")
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> arch/sparc/kernel/led.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
> index f4fb82b019bb..b9758fdbc054 100644
> --- a/arch/sparc/kernel/led.c
> +++ b/arch/sparc/kernel/led.c
> @@ -70,6 +70,9 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
> {
> char *buf = NULL;
>
> + if (!count)
> + return -EINVAL;
> +
> if (count > LED_MAX_LENGTH)
> count = LED_MAX_LENGTH;
>
I see no need to fail on the empty string in particular when further
down we have a default case:
} else {
auxio_set_led(AUXIO_LED_OFF);
}
for any string not matching particular cases.
Instead, please stop the incorrect buffer access with something like:
diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
index f4fb82b019bb9..9b53ac1fe533d 100644
--- a/arch/sparc/kernel/led.c
+++ b/arch/sparc/kernel/led.c
@@ -78,7 +78,7 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
return PTR_ERR(buf);
/* work around \n when echo'ing into proc */
- if (buf[count - 1] == '\n')
+ if (count > 0 && buf[count - 1] == '\n')
buf[count - 1] = '\0';
/* before we change anything we want to stop any running timers,
Thanks,
Andreas