Re: [PATCH] s390/debug: reject zero-length input before trimming a newline
From: Benjamin Block
Date: Fri Apr 17 2026 - 05:42:42 EST
On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
>
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
>
> Reject empty writes before accessing the last input byte.
>
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
>
There shouldn't be a blank line here.
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> arch/s390/kernel/debug.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
> index 31430e9bcfdd..2612f634e826 100644
> --- a/arch/s390/kernel/debug.c
> +++ b/arch/s390/kernel/debug.c
> @@ -1414,6 +1414,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
> {
> char *buffer;
>
> + if (!user_len)
> + return ERR_PTR(-EINVAL);
> +
> buffer = memdup_user_nul(user_buf, user_len);
> if (IS_ERR(buffer))
> return buffer;
Otherwise this looks good to me.
Reviewed-by: Benjamin Block <bblock@xxxxxxxxxxxxx>
--
Best Regards, Benjamin Block / Linux on IBM Z Kernel Development
IBM Deutschland Research & Development GmbH / https://www.ibm.com/privacy
Vors. Aufs.-R.: Wolfgang Wendt / Geschäftsführung: David Faller
Sitz der Ges.: Ehningen / Registergericht: AmtsG Stuttgart, HRB 243294