Commit e14622a7 authored Apr 17, 2026 by Vasily Gorbik Committed by Alexander Gordeev Apr 28, 2026

s390/debug: Reject zero-length input in debug_input_flush_fn()



debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.

Reject zero-length writes before copying from userspace.

Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

parent c366a7b5

arch/s390/kernel/debug.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1587,6 +1587,11 @@ static int debug_input_flush_fn(debug_info_t id, struct debug_view view,
		char input_buf[1];
		int rc = user_len;

		if (!user_len) {
		rc = -EINVAL;
		goto out;
		}

		if (user_len > 0x10000)
		user_len = 0x10000;
		if (*offset != 0) {