The "einj_buf" buffer is 32 chars. If "count" is larger than that it
results in memory corruption. Cap it at 31 so that we leave the last
character as a NUL terminator. By the way, the highest reasonable value
for "count" is 24.
Fixes: 0c6176e1e186 ("ACPI: APEI: EINJ: Enable the discovery of EINJv2 capabilities")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v3: Style improvements. Add a comment.
v2: I introduces a bug in v1 because I put parentheses in the wrong place.
drivers/acpi/apei/einj-core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index d6d7e36e3647..f5cfa6310f0e 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -826,6 +826,10 @@ static ssize_t error_type_set(struct file *file, const char __user *buf,
int rc;
u64 val;
+ /* Leave the last character for the NUL terminator */
+ if (count > sizeof(einj_buf) - 1)
+ return -EINVAL;
+
memset(einj_buf, 0, sizeof(einj_buf));
if (copy_from_user(einj_buf, buf, count))
return -EFAULT;
--
2.47.2
