Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()

From: Greg Kroah-Hartman
Date: Sun Nov 02 2025 - 20:05:42 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH v2] misc: rp1: Fix a reference leak"
Previous message: John Hubbard: "Re: [PATCH v4 3/3] gpu: nova-core: add boot42 support for next-gen GPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 30, 2025 at 09:47:22AM +0100, Arnd Bergmann wrote:
> On Thu, Oct 30, 2025, at 06:28, Miaoqian Lin wrote:
> > A malicious user could pass an arbitrarily bad value
> > to memdup_user_nul(), potentially causing kernel crash.
>
> I think you should be more specific than 'kernel crash' here.
> As far as I can tell, the worst case would be temporarily
> consuming a MAX_ORDER_NR_PAGES allocation, leading to out-of-memory.

I think we already limit the size of writes so this shouldn't happen,
but a real trace would be good to see.

> > Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to
> > memdup_user_nul() helper")
>
> I don't think that patch changed anything, the same thing
> would have happened with kmalloc()+copy_from_user().
> Am I missing something?
>
> > + if (count == 0 || count > PAGE_SIZE)
> > + return -EINVAL;
> > +
>
> How did you pick PAGE_SIZE as the maximum here?

I agree, that seems very very small.

thanks,

greg k-h

Next message: Greg Kroah-Hartman: "Re: [PATCH v2] misc: rp1: Fix a reference leak"
Previous message: John Hubbard: "Re: [PATCH v4 3/3] gpu: nova-core: add boot42 support for next-gen GPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]