Fix out-of-bounds access in led_proc_write() when count is 0. Accessing buf[count - 1] with count=0 reads/writes buf[-1].
Check for count==0 and return -EINVAL early to fix this.
Found via static analysis and code review.
Fixes: ee1858d3122d ("[SPARC]: Add sun4m LED driver.") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin linmq006@gmail.com --- arch/sparc/kernel/led.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c index f4fb82b019bb..aa0ca0d8d0e2 100644 --- a/arch/sparc/kernel/led.c +++ b/arch/sparc/kernel/led.c @@ -70,6 +70,9 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer, { char *buf = NULL;
+ if (count == 0) + return -EINVAL; + if (count > LED_MAX_LENGTH) count = LED_MAX_LENGTH;