probe_store() and remove_store() pass count to ibmebus_chomp(), whose
newline stripping logic unconditionally inspects out[count - 1]. A
zero-length write therefore reads one byte before the allocated buffer.
Reject empty writes before calling ibmebus_chomp().
Fixes: 0727702a3a6a ("[POWERPC] ibmebus: change probe/remove interface from
using loc-code to DT path")
Signed-off-by: Pengpeng Hou <[email protected]>
---
arch/powerpc/platforms/pseries/ibmebus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/ibmebus.c
b/arch/powerpc/platforms/pseries/ibmebus.c
index cad2deb7e70d..5faf1a5754de 100644
--- a/arch/powerpc/platforms/pseries/ibmebus.c
+++ b/arch/powerpc/platforms/pseries/ibmebus.c
@@ -276,6 +276,9 @@ static ssize_t probe_store(const struct bus_type *bus,
const char *buf, size_t c
char *path;
ssize_t rc = 0;
+ if (!count)
+ return -EINVAL;
+
path = ibmebus_chomp(buf, count);
if (!path)
return -ENOMEM;
@@ -312,6 +315,9 @@ static ssize_t remove_store(const struct bus_type *bus,
const char *buf, size_t
struct device *dev;
char *path;
+ if (!count)
+ return -EINVAL;
+
path = ibmebus_chomp(buf, count);
if (!path)
return -ENOMEM;
--
2.50.1 (Apple Git-155)
