[PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()

Next message: Maciej Wiecz&#xF3;r-Retman: "Re: [PATCH v6 00/18] kasan: x86: arm64: KASAN tag-based mode for x86"
Previous message: Kairui Song: "Re: [PATCH 14/19] mm, swap: sanitize swap entry management workflow"
Next in thread: Arnd Bergmann: "Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miaoqian Lin

Date: Thu Oct 30 2025 - 01:28:51 EST

A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.

This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
and commit 7ef4c19d245f
("smackfs: restrict bytes count in smackfs write functions")

Found via static analysis and code review.

Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to memdup_user_nul() helper")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Miaoqian Lin <linmq006@xxxxxxxxx>
---
drivers/misc/eeprom/idt_89hpesx.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
index 60c42170d147..b2e771bfc6da 100644
--- a/drivers/misc/eeprom/idt_89hpesx.c
+++ b/drivers/misc/eeprom/idt_89hpesx.c
@@ -907,6 +907,9 @@ static ssize_t idt_dbgfs_csr_write(struct file *filep, const char __user *ubuf,
if (*offp)
return 0;

+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
/* Copy data from User-space */
buf = memdup_user_nul(ubuf, count);
if (IS_ERR(buf))
--
2.39.5 (Apple Git-154)