On Wed, Jun 25, 2025 at 10:23:26AM -0500, Dan Carpenter wrote:
> The "einj_buf" buffer is 32 chars. Verify that "count" is not too large
> for that. Also leave the last character as a NUL terminator to ensure
> the string is properly terminated.
>
> Fixes: 0c6176e1e186 ("ACPI: APEI: EINJ: Enable the discovery of EINJv2 capabilities")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/acpi/apei/einj-core.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> index d6d7e36e3647..e77c0d4b4ee5 100644
> --- a/drivers/acpi/apei/einj-core.c
> +++ b/drivers/acpi/apei/einj-core.c
> @@ -826,8 +826,11 @@ static ssize_t error_type_set(struct file *file, const char __user *buf,
> int rc;
> u64 val;
>
> + if (count > sizeof(einj_buf))
> + return -EINVAL;
> +
> memset(einj_buf, 0, sizeof(einj_buf));
> - if (copy_from_user(einj_buf, buf, count))
> + if (copy_from_user(einj_buf, buf, min(count, sizeof((einj_buf) - 1))))
Nope. I put the parentheses in the wrong place... Let me resend.
regards,
dan carpenter
