[PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()

[Pengpeng Hou]

eeh_force_recover_write() and pnv_eeh_ei_write() copy raw userspace
bytes into fixed stack buffers with simple_write_to_buffer() and then
pass those buffers straight to sscanf().

When userspace fills the buffer completely, the copied command is not
NUL-terminated and sscanf() can read past the end of the stack buffer.

Reject oversized writes and reserve one byte for a terminating NUL before
parsing the command string.

Fixes: 954bd99435b8 ("powerpc/eeh: Add eeh_force_recover to debugfs")
Fixes: 4cf174455899 ("powerpc/powernv: Drop PHB operation post_init()")

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
 arch/powerpc/kernel/eeh.c                    | 11 +++++++++--
 arch/powerpc/platforms/powernv/eeh-powernv.c | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index bb836f02101c..681701ffbf33 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1729,11 +1729,18 @@ static ssize_t eeh_force_recover_write(struct file *filp,
 	uint32_t phbid, pe_no;
 	struct eeh_pe *pe;
 	char buf[20];
-	int ret;
+	ssize_t ret;
+
+	if (*ppos != 0 || count >= sizeof(buf))
+		return -EINVAL;
 
-	ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
+				     count);
+	if (ret < 0)
+		return ret;
 	if (!ret)
 		return -EFAULT;
+	buf[ret] = '\0';
 
 	/*
 	 * When PE is NULL the event is a "special" event. Rather than
diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c
index db3370d1673c..88a4acc11186 100644
--- a/arch/powerpc/platforms/powernv/eeh-powernv.c
+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c
@@ -71,15 +71,22 @@ static ssize_t pnv_eeh_ei_write(struct file *filp,
 	int pe_no, type, func;
 	unsigned long addr, mask;
 	char buf[50];
-	int ret;
+	ssize_t ret;
 
 	if (!eeh_ops || !eeh_ops->err_inject)
 		return -ENXIO;
 
+	if (*ppos != 0 || count >= sizeof(buf))
+		return -EINVAL;
+
 	/* Copy over argument buffer */
-	ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
+				     count);
+	if (ret < 0)
+		return ret;
 	if (!ret)
 		return -EFAULT;
+	buf[ret] = '\0';
 
 	/* Retrieve parameters */
 	ret = sscanf(buf, "%x:%x:%x:%lx:%lx",
-- 
2.50.1 (Apple Git-155)