mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 17:12:50 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
0eb09f737428e482a32a2e31e5e223f2b35a71d3
linux/drivers
History
Tyllis Xu 0eb09f7374 ibmasm: fix OOB reads in command_file_write due to missing size checks 
The command_file_write() handler allocates a kernel buffer of exactly
count bytes and copies user data into it, but does not validate the
buffer against the dot command protocol before passing it to
get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size,
data_size) are independently user-controlled, an attacker can cause
get_dot_command_size() to return a value exceeding the allocation,
triggering OOB reads in get_dot_command_timeout() and an out-of-bounds
memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct
dot_command_header) before allocation, then after copying user data
reject commands where the buffer is smaller than the total size declared
by the header (sizeof(header) + command_size + data_size). This ensures
all subsequent header and payload field accesses stay within the buffer.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260314165355.548119-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-04-02 16:30:53 +02:00
..
accel
accel/amdxdna: Fix runtime suspend deadlock when there is pending job
2026-03-10 11:46:40 -07:00
accessibility
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
acpi
Merge branch 'acpi-osl'
2026-03-12 18:42:41 +01:00
amba
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
android
rust_binder: add command/return tracepoints
2026-04-01 12:18:22 +02:00
ata
ata: libata-eh: Fix detection of deferred qc timeouts
2026-03-06 09:58:47 +01:00
atm
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
auxdisplay
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
base
Revert "driver core: enforce device_lock for driver_match_device()"
2026-03-03 13:12:42 +01:00
bcma
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
block
Merge tag 'block-7.0-20260312' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
2026-03-13 10:13:06 -07:00
bluetooth
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
bus
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
cache
cdrom
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
cdx
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
char
Merge tag 'for-linus-7.0-1' of https://github.com/cminyard/linux-ipmi
2026-02-26 14:34:21 -08:00
clk
clk: scu/imx8qxp: do not register driver in probe()
2026-02-24 12:54:17 +01:00
clocksource
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
comedi
comedi: ni_usb6501: refactor endpoint lookup
2026-04-02 15:55:01 +02:00
connector
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
counter
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
cpufreq
cpufreq: intel_pstate: Fix crash during turbo disable
2026-02-25 14:39:19 +01:00
cpuidle
sched: idle: Make skipping governor callbacks more consistent
2026-03-10 16:03:02 +01:00
crypto
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
2026-02-28 12:53:25 +09:00
cxl
cxl/region: Test CXL_DECODER_F_NORMALIZED_ADDRESSING as a bitmask
2026-02-24 08:33:30 -07:00
dax
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
dca
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
devfreq
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
dibs
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
dio
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
dma
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
dma-buf
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
dpll
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
edac
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
eisa
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
extcon
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
firewire
firewire: ohci: initialize page array to use alloc_pages_bulk() correctly
2026-02-28 10:09:24 -08:00
firmware
Merge tag 'char-misc-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-03-14 09:38:49 -07:00
fpga
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
fsi
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
fwctl
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
gnss
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
gpib
gpib: ni_usb: drop redundant device reference
2026-03-16 11:48:54 +01:00
gpio
gpiolib: normalize the return value of gc->get() on behalf of buggy drivers
2026-02-23 11:49:23 +01:00
gpu
Merge tag 'drm-rust-fixes-2026-03-12' of https://gitlab.freedesktop.org/drm/rust/kernel into drm-fixes
2026-03-13 10:40:17 +10:00
greybus
greybus: gb-beagleplay: bound bootloader receive buffering
2026-04-02 15:55:09 +02:00
hid
Merge tag 'hid-for-linus-2026030601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
2026-03-06 10:00:58 -08:00
hsi
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
hte
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
hv
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
hwmon
Merge tag 'i3c/fixes-for-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux
2026-03-14 16:25:10 -07:00
hwspinlock
Merge tag 'soc-drivers-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2026-02-10 20:45:30 -08:00
hwtracing
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
i2c
i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock"
2026-03-04 12:44:14 +01:00
i3c
i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
2026-03-11 22:50:29 +01:00
idle
intel_idle: Add C-states validation
2026-01-07 21:17:43 +01:00
iio
iio: amplifiers: ad8366: add support for adrf5702/3
2026-03-26 20:10:26 +00:00
infiniband
RDMA/uverbs: Import DMA-BUF module in uverbs_std_types_dmabuf file
2026-02-26 04:58:24 -05:00
input
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
interconnect
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
iommu
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
ipack
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
irqchip
irqchip/riscv-aplic: Register syscore operations only once
2026-03-10 18:42:34 +01:00
isdn
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
leds
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
macintosh
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
mailbox
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
mcb
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
md
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
media
Merge tag 'media/v7.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
2026-03-04 08:12:06 -08:00
memory
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
memstick
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
message
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
mfd
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
misc
ibmasm: fix OOB reads in command_file_write due to missing size checks
2026-04-02 16:30:53 +02:00
mmc
mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore
2026-02-23 12:05:20 +01:00
most
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
mtd
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
mux
mux: mmio: Zero the allocated memory
2026-03-17 16:38:25 +01:00
net
Merge tag 'net-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-12 11:33:35 -07:00
nfc
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
ntb
Merge tag 'kmalloc_obj-treewide-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
2026-02-21 11:02:58 -08:00
nubus
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nvdimm
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
nvme
Merge tag 'block-7.0-20260312' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
2026-03-13 10:13:06 -07:00
nvmem
nvmem: rockchip-otp: Add support for RK3528
2026-04-02 16:15:56 +02:00
of
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
opp
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
parisc
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
parport
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
pci
Merge tag 'for-linus-7.0-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
2026-03-07 07:44:32 -08:00
pcmcia
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
peci
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
perf
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
phy
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
pinctrl
pinctrl: cy8c95x0: Don't miss reading the last bank registers
2026-02-26 23:41:04 +01:00
platform
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
2026-03-03 14:45:17 +02:00
pmdomain
Merge tag 'pmdomain-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm
2026-03-06 09:16:39 -08:00
pnp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
power
power: sequencing: pcie-m2: Fix device node reference leak in probe
2026-03-04 09:16:41 +01:00
powercap
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
pps
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ps3
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ptp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
pwm
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
rapidio
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ras
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
regulator
regulator: pca9450: Correct probed name for PCA9452
2026-03-10 14:52:42 +00:00
remoteproc
remoteproc: imx_rproc: Fix unreachable platform prepare_ops
2026-03-05 10:18:23 -07:00
resctrl
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
reset
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
rpmsg
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
rtc
Merge tag 'rtc-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
2026-02-22 09:43:11 -08:00
s390
Merge tag 's390-7.0-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
2026-03-13 14:18:13 -07:00
sbus
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
scsi
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
2026-03-15 13:15:39 -07:00
sh
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
siox
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
slimbus
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
soc
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
soundwire
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
spi
spi: atcspi200: Handle invalid buswidth and fix compiler warning
2026-03-11 19:08:43 +00:00
spmi
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ssb
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
staging
Merge tag 'v7.0-rc4' into togreg
2026-03-22 12:20:42 +00:00
target
scsi: target: Fix recursive locking in __configfs_open_file()
2026-02-28 20:41:52 -05:00
tc
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
tee
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
thermal
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
thunderbolt
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
tty
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
ufs
scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
2026-03-07 11:08:39 -05:00
uio
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
usb
USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
2026-03-13 18:19:07 +01:00
vdpa
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
vfio
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
vhost
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
video
fbdev: au1100fb: Fix build on MIPS64
2026-03-05 17:35:12 +01:00
virt
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
virtio
Convert more 'alloc_obj' cases to default GFP_KERNEL arguments
2026-02-21 20:03:00 -08:00
w1
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
watchdog
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xen
Merge tag 'for-linus-7.0-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
2026-03-07 07:44:32 -08:00
zorro
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
Kconfig
Merge tag 'staging-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
2025-12-06 18:52:00 -08:00
Makefile
phy: enter drivers/phy/Makefile even without CONFIG_GENERIC_PHY
2026-02-04 20:45:26 +05:30