Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()

Next message: Tian, Kevin: "RE: [PATCH v1 02/20] iommu: Introduce a test_dev domain op and an internal helper"
Previous message: syzbot: "Re: [syzbot] [xfs?] KASAN: slab-use-after-free Read in xfs_buf_rele (4)"
In reply to: Miaoqian Lin: "[PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnd Bergmann

Date: Thu Oct 30 2025 - 04:47:44 EST

On Thu, Oct 30, 2025, at 06:28, Miaoqian Lin wrote:
> A malicious user could pass an arbitrarily bad value
> to memdup_user_nul(), potentially causing kernel crash.

I think you should be more specific than 'kernel crash' here.
As far as I can tell, the worst case would be temporarily
consuming a MAX_ORDER_NR_PAGES allocation, leading to out-of-memory.

> Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to
> memdup_user_nul() helper")

I don't think that patch changed anything, the same thing
would have happened with kmalloc()+copy_from_user().
Am I missing something?

> + if (count == 0 || count > PAGE_SIZE)
> + return -EINVAL;
> +

How did you pick PAGE_SIZE as the maximum here?

Arnd