Commit e47029b9 authored Apr 17, 2026 by Tudor Ambarus Committed by Miquel Raynal Apr 27, 2026

mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
	(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.

Cc: stable@vger.kernel.org
Fixes: 0257be79 ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com

 [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>

parent 254f4963

drivers/mtd/spi-nor/debugfs.c

+3 −1

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0

		#include <linux/array_size.h>
		#include <linux/debugfs.h>
		#include <linux/mtd/spi-nor.h>
		#include <linux/spi/spi.h>
		@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file s, void data)
		seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);

		seq_puts(s, "flags\t\t");
		spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
		spi_nor_print_flags(s, nor->flags, snor_f_names,
		ARRAY_SIZE(snor_f_names));
		seq_puts(s, "\n");

		seq_puts(s, "\nopcodes\n");