Re: [PATCH] ipmi: ipmb: validate write message length
From: Corey Minyard
Date: Wed Jun 24 2026 - 15:05:18 EST
On Wed, Jun 24, 2026 at 07:53:53PM +0200, Yousef Alhouseen wrote:
> ipmb_write() read message fields before validating the length byte.
>
> A zero or short write can read uninitialized stack bytes.
>
> A length smaller than the SMBus header underflows the block write length.
>
> Require a non-empty buffer and the minimum IPMB request length.
>
> Also require the length byte plus payload before parsing the message.
Yes, this is in my next queue for 7.3.
-corey
>
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
> ---
> drivers/char/ipmi/ipmb_dev_int.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
> index 2fe1d205c..dd750392c 100644
> --- a/drivers/char/ipmi/ipmb_dev_int.c
> +++ b/drivers/char/ipmi/ipmb_dev_int.c
> @@ -141,13 +141,14 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
> u8 msg[MAX_MSG_LEN];
> ssize_t ret;
>
> - if (count > sizeof(msg))
> + if (!count || count > sizeof(msg))
> return -EINVAL;
>
> if (copy_from_user(&msg, buf, count))
> return -EFAULT;
>
> - if (count < msg[0])
> + if (msg[IPMB_MSG_LEN_IDX] < IPMB_REQUEST_LEN_MIN ||
> + count < (size_t)msg[IPMB_MSG_LEN_IDX] + 1)
> return -EINVAL;
>
> rq_sa = GET_7BIT_ADDR(msg[RQ_SA_8BIT_IDX]);
> --
> 2.54.0
>