Re: [PATCH] fwctl: pds: Validate RPC input size before parsing

Next message: Jonathan Cameron: "Re: [PATCH 1/2] iio: light: veml3328: add devicetree binding for new sensor"
Previous message: SeongJae Park: "[PATCH] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()"
In reply to: Heechan Kang: "[PATCH] fwctl: pds: Validate RPC input size before parsing"
Next in thread: Creeley, Brett: "Re: [PATCH] fwctl: pds: Validate RPC input size before parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Jiang

Date: Mon May 18 2026 - 11:30:27 EST

On 5/16/26 11:22 PM, Heechan Kang wrote:
> The fwctl core allocates the device-specific RPC input buffer with
> fwctl_rpc.in_len and passes that buffer to the driver callback.
>
> pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
> pdsfc_validate_rpc(), which reads fields from that structure before
> checking that the input buffer is large enough to contain it. A short
> in_len can make pds_fwctl read beyond the allocation.
>
> Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
> parsing any pds-specific fields.
>
> Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
> Cc: stable@xxxxxxxxxxxxxxx # v6.15+
> Signed-off-by: Heechan Kang <gganji11@xxxxxxxxx>

Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>

> ---
> drivers/fwctl/pds/main.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
> index 08872ee8422f..68fe254dd10a 100644
> --- a/drivers/fwctl/pds/main.c
> +++ b/drivers/fwctl/pds/main.c
> @@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
> void *out = NULL;
> int err;
>
> + if (in_len < sizeof(*rpc))
> + return ERR_PTR(-EINVAL);
> +
> err = pdsfc_validate_rpc(pdsfc, rpc, scope);
> if (err)
> return ERR_PTR(err);