[PATCH] ipmi: ipmb: validate write message length

Next message: Yousef Alhouseen: "[PATCH] hyperv: mshv: zero VTL hypercall input page"
Previous message: Mathieu Poirier: "Re: [PATCH] remoteproc: virtio: support dynamic number of vrings"
Next in thread: Corey Minyard: "Re: [PATCH] ipmi: ipmb: validate write message length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 13:56:00 EST

ipmb_write() read message fields before validating the length byte.

A zero or short write can read uninitialized stack bytes.

A length smaller than the SMBus header underflows the block write length.

Require a non-empty buffer and the minimum IPMB request length.

Also require the length byte plus payload before parsing the message.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/char/ipmi/ipmb_dev_int.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
index 2fe1d205c..dd750392c 100644
--- a/drivers/char/ipmi/ipmb_dev_int.c
+++ b/drivers/char/ipmi/ipmb_dev_int.c
@@ -141,13 +141,14 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
u8 msg[MAX_MSG_LEN];
ssize_t ret;

- if (count > sizeof(msg))
+ if (!count || count > sizeof(msg))
return -EINVAL;

if (copy_from_user(&msg, buf, count))
return -EFAULT;

- if (count < msg[0])
+ if (msg[IPMB_MSG_LEN_IDX] < IPMB_REQUEST_LEN_MIN ||
+ count < (size_t)msg[IPMB_MSG_LEN_IDX] + 1)
return -EINVAL;

rq_sa = GET_7BIT_ADDR(msg[RQ_SA_8BIT_IDX]);
--
2.54.0