[PATCH 6.7 219/641] wifi: iwlwifi: fix out of bound copy_from_user

6.7-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anjaneyulu pagadala.yesu.anjaneyulu@intel.com

[ Upstream commit cb2dfacb197bed0241fbb4f84bd0995a47f4465e ]

The driver copies the userspace buffer into an internal NUL byte terminated buffer. While doing so, it was reading beyond the end of the userspace buffer, overwriting its own NUL termination in the process.

Fix this by only copying the correct number of bytes.

Fixes: 3f244876ef73 ("wifi: iwlwifi: make debugfs entries link specific") Signed-off-by: Anjaneyulu pagadala.yesu.anjaneyulu@intel.com Reviewed-by: Gregory Greenman gregory.greenman@intel.com Reviewed-by: Benjamin Berg benjamin.berg@intel.com Signed-off-by: Miri Korenblit miriam.rachel.korenblit@intel.com Link: https://msgid.link/20231219215605.e4913deb2ad4.Idcf6a7e909ff4b7801cd49c2f691... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c index 329c545f65fd..7737650e56cb 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c @@ -1815,7 +1815,7 @@ static ssize_t _iwl_dbgfs_link_sta_##name##_write(struct file *file, \ char buf[buflen] = {}; \ size_t buf_size = min(count, sizeof(buf) - 1); \ \ - if (copy_from_user(buf, user_buf, sizeof(buf))) \ + if (copy_from_user(buf, user_buf, buf_size)) \ return -EFAULT; \ \ return _iwl_dbgfs_link_sta_wrap_write(iwl_dbgfs_##name##_write, \