From nobody Sun Jun 14 22:32:29 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gdp0Z2sY3z6hb0h for ; Sun, 14 Jun 2026 22:32:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gdp0Y4R6Tz3c6r for ; Sun, 14 Jun 2026 22:32:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781476349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ssQqcag/7J2iRdvrDGdyyvfoJ1ooqeSiWBLdkjNORLw=; b=Tz30YCfZz0tftSdy7zyn8RrGveQHarZIRlX7O0VUM+meKMpJNT7i462C3P8vPI4laP6Qdt JhsKULUn8RdmOu5wvVm2dMhWRwCz8adv/SwpLDLZEOOxmT9LwV9rJvBBWhGmoqxL9atr+B i7uKb05QaNCbyoAE8MyHYcdnJNE7ac/Wjyjjn5hosHn3YIZVbF93apetGQRbTY/TVKYQaY 2egASqHANn/r+/DTVA8KLOVu46/EbM5qnXUBluxsOzL8Mig4MKK61dWYp+6y5ZfORcz8Bs b9sALzHMcfTVyexSSCmK+OYmeC5stUxynMTulzZ7YosMJSkUFXhe0no1H1eVOA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781476349; a=rsa-sha256; cv=none; b=sYdYSHiDUnkNQ+UwzLx8BaFPvUPBrW/sxlu0ROUgTz6iFV8iyhamIQKyugF/bks0vt8WA8 +tNRTnXNsZjiivGG2S0NaCOjHEth+uDMD42fXT5LnaaFNY7uTmW8tk/8zZ3Q4651nRN5Un uq6OONo2yRHeNpUHvR+UzjK/pIdx+attjSeczvvE/jQB1h2xGYYHD3/JmtgFXNh+FHgwkO IOZy8sOaPSTJwRwuLAE/SK33g7VEYyFPVEKqHpg6g2fhEiSW5NqYU9aI2+nMkjRH/eGDPE 54a4DPYYnundu28fc625XauczVoKYeBnqu7Q3JGYsI8zfWoyZVYjh+9n62vPCw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781476349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ssQqcag/7J2iRdvrDGdyyvfoJ1ooqeSiWBLdkjNORLw=; b=xy75dOzHJ0k8dGR/+TYLrrJWZF8r0HpP8eb8ARwiApp6JPjqJPbom7rmjzKy874QB29o2F ClGR/WdL+XRWLzASU8RgjofHL7TP/63UEoZrvmXdVnmVHrEu2JgEJsjnQ7PLRNjR3IwCeK VJvE+v4gqK0BfFZyqPa5KzHOIAjlRgFkeXJUjW4QhM7ZE4bJpgKPenEadwolm1YhfEl0pz AWzU27QL7xfbgi6wzQ6bpci0EXqsk4//g03KX8eSoKfjMNYtS7z81moxqy0Yv1raPnHDeM WUq6ffudFJn/rpTzkWQ41dj5cjyO04WR60CzCqZLItomJPsGvevDw6xlX/k+Vw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gdp0Y3zrVzCx9 for ; Sun, 14 Jun 2026 22:32:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 43500 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 14 Jun 2026 22:32:29 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Bjoern A. Zeeb Subject: git: 3fa40c5eb8f5 - main - linudebugfs: fix simple_attr_write_common() kernel buffer List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3fa40c5eb8f57972bf0b329fd2d36af4d2700b8d Auto-Submitted: auto-generated Date: Sun, 14 Jun 2026 22:32:29 +0000 Message-Id: <6a2f2bfd.43500.7f15f0cf@gitrepo.freebsd.org> The branch main has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=3fa40c5eb8f57972bf0b329fd2d36af4d2700b8d commit 3fa40c5eb8f57972bf0b329fd2d36af4d2700b8d Author: Bjoern A. Zeeb AuthorDate: 2026-06-10 11:04:20 +0000 Commit: Bjoern A. Zeeb CommitDate: 2026-06-14 22:31:38 +0000 linudebugfs: fix simple_attr_write_common() kernel buffer With 2cf15144daf7e we added a kernel buffer for parsing input copying the user buffer into that. The problem is that we only copy exactly as many bytes as the user supplied. printf 1 would have a write_size of 1, while echo 1 would have a write_size of 2 (1\n). But in order to check and parse we need a terminating '\0'. Overallocate the kernel buffer by 1 and make sure it is always '\0' terminated. Remove the check that the string needs to be of different length than the write_size as this will always fail unless the user passes in, e.g., "1\02\n\0" somehow in which case we won't bother as kstrto*ll() will not only handle the '\n' but also stop at '\0' and should be fine or it will fail and we will error. In theory we could use a static buffer here as well as we know a maximum possible length of digits plus \n and \0 and take a min of that buffer length and write_size and then error on a small buffer but given this is an optional debug interface, do not bother with any alloc (size). Fixes: 2cf15144daf7e ("lindebugfs: Pass user buffer pointers ..") Sponsored by: The FreeBSD Foundation Reviewed by: dumbbell MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D57522 --- sys/compat/linuxkpi/common/src/linux_simple_attr.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/sys/compat/linuxkpi/common/src/linux_simple_attr.c b/sys/compat/linuxkpi/common/src/linux_simple_attr.c index e5514194cb33..54eac3bc65fa 100644 --- a/sys/compat/linuxkpi/common/src/linux_simple_attr.c +++ b/sys/compat/linuxkpi/common/src/linux_simple_attr.c @@ -163,15 +163,12 @@ simple_attr_write_common(struct file *filp, const char __user *ubuf, if (*ppos != 0 || write_size < 1) return (-EINVAL); - buf = malloc(write_size, M_LSATTR, M_WAITOK); + buf = malloc(write_size + 1, M_LSATTR, M_WAITOK); if (copy_from_user(buf, ubuf, write_size) != 0) { free(buf, M_LSATTR); return (-EFAULT); } - if (strnlen(buf, write_size) == write_size) { - free(buf, M_LSATTR); - return (-EINVAL); - } + buf[write_size] = '\0'; mutex_lock(&sattr->mutex);