Commit c366a7b5 authored Apr 17, 2026 by Pengpeng Hou Committed by Alexander Gordeev Apr 28, 2026

s390/debug: Reject zero-length input before trimming a newline



debug_get_user_string() duplicates the userspace buffer with
memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
to strip a trailing newline.

A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.

Reject empty writes before accessing the last input byte.

Fixes: 66a464db ("[PATCH] s390: debug feature changes")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260417073530.96002-1-pengpeng@iscas.ac.cn


Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

parent 254f4963

arch/s390/kernel/debug.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1414,6 +1414,9 @@ static inline char debug_get_user_string(const char __user user_buf,
		{
		char *buffer;

		if (!user_len)
		return ERR_PTR(-EINVAL);

		buffer = memdup_user_nul(user_buf, user_len);
		if (IS_ERR(buffer))
		return buffer;