Re: [PATCH] s390/debug: reject zero-length input before trimming a newline

Next message: Kevin Brodsky: "Re: [PATCH v6 01/30] mm: Introduce kpkeys"
Previous message: Tudor Ambarus: "Re: [PATCH v2 0/7] thermal: samsung: Add support for Google GS101 TMU"
In reply to: Benjamin Block: "Re: [PATCH] s390/debug: reject zero-length input before trimming a newline"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vasily Gorbik

Date: Fri Apr 17 2026 - 09:08:42 EST

On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
>
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
>
> Reject empty writes before accessing the last input byte.
>
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> arch/s390/kernel/debug.c | 3 +++
> 1 file changed, 3 insertions(+)

Reviewed-by: Vasily Gorbik <gor@xxxxxxxxxxxxx>
Tested-by: Vasily Gorbik <gor@xxxxxxxxxxxxx>

Added
Cc: stable@xxxxxxxxxxxxxxx

And applied, thank you!

I've also addressed Sashiko's complaint [1] about debug_input_flush_fn()
as a separate patch.

[1] https://sashiko.dev/#/patchset/20260417073530.96002-1-pengpeng%40iscas.ac.cn