linudebugfs: fix simple_attr_write_common() kernel buffer

With 2cf15144da we added a kernel buffer for parsing input copying the
user buffer into that.  The problem is that we only copy exactly as many
bytes as the user supplied.  printf 1 would have a write_size of 1, while
echo 1 would have a write_size of 2 (1\n).  But in order to check and
parse we need a terminating '\0'.

Overallocate the kernel buffer by 1 and make sure it is always '\0'
terminated.

Remove the check that the string needs to be of different length than
the write_size as this will always fail unless the user passes in, e.g.,
"1\02\n\0" somehow in which case we won't bother as kstrto*ll() will
not only handle the '\n' but also stop at '\0' and should be fine or
it will fail and we will error.

In theory we could use a static buffer here as well as we know a maximum
possible length of digits plus \n and \0 and take a min of that buffer
length and write_size and then error on a small buffer but given this is
an optional debug interface, do not bother with any alloc (size).

Fixes:		2cf15144da ("lindebugfs: Pass user buffer pointers ..")
Sponsored by:	The FreeBSD Foundation
Reviewed by:	dumbbell
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D57522
This commit is contained in:
Bjoern A. Zeeb
2026-06-10 11:04:20 +00:00
parent 009d92b25f
commit 3fa40c5eb8
@@ -163,15 +163,12 @@ simple_attr_write_common(struct file *filp, const char __user *ubuf,
if (*ppos != 0 || write_size < 1)
return (-EINVAL);
buf = malloc(write_size, M_LSATTR, M_WAITOK);
buf = malloc(write_size + 1, M_LSATTR, M_WAITOK);
if (copy_from_user(buf, ubuf, write_size) != 0) {
free(buf, M_LSATTR);
return (-EFAULT);
}
if (strnlen(buf, write_size) == write_size) {
free(buf, M_LSATTR);
return (-EINVAL);
}
buf[write_size] = '\0';
mutex_lock(&sattr->mutex);