Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in idt_dbgfs_csr_write()

On Thu, Oct 30, 2025, at 06:28, Miaoqian Lin wrote:

A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash.

I think you should be more specific than 'kernel crash' here. As far as I can tell, the worst case would be temporarily consuming a MAX_ORDER_NR_PAGES allocation, leading to out-of-memory.

Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to memdup_user_nul() helper")

I don't think that patch changed anything, the same thing would have happened with kmalloc()+copy_from_user(). Am I missing something?

• if (count == 0 || count > PAGE_SIZE)

• return -EINVAL;
  

How did you pick PAGE_SIZE as the maximum here?

Arnd