s390/debug: Reject zero-length input in debug_input_flush_fn()

debug_input_flush_fn() always copies one byte from the userspace buffer with copy_from_user() regardless of the supplied write length. A zero-length write therefore reads one byte beyond the caller's buffer. If the stale byte happens to be '-' or a digit the debug log is silently flushed. With an unmapped buffer the call returns -EFAULT. Reject zero-length writes before copying from userspace. Cc: stable@vger.kernel.org # v5.10+ Acked-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
author: Vasily Gorbik <gor@linux.ibm.com> 2026-04-17 15:33:43 +0300
committer: Alexander Gordeev <agordeev@linux.ibm.com> 2026-04-28 15:45:02 +0300
commit: e14622a7584f9608927c59a7d6ae4a0999dc545e (patch)
tree: 88e1b377ef7b563aaff15d539458d9de376b6363
parent: c366a7b5ed7564e41345c380285bd3f6cb98971b (diff)
download: linux-e14622a7584f9608927c59a7d6ae4a0999dc545e.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 2612f634e826..7650f2adb5cf 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1587,6 +1587,11 @@ static int debug_input_flush_fn(debug_info_t *id, struct debug_view *view,
 	char input_buf[1];
 	int rc = user_len;
 
+	if (!user_len) {
+		rc = -EINVAL;
+		goto out;
+	}
+
 	if (user_len > 0x10000)
 		user_len = 0x10000;
 	if (*offset != 0) {
author	Vasily Gorbik <gor@linux.ibm.com>	2026-04-17 15:33:43 +0300
committer	Alexander Gordeev <agordeev@linux.ibm.com>	2026-04-28 15:45:02 +0300
commit	e14622a7584f9608927c59a7d6ae4a0999dc545e (patch)
tree	88e1b377ef7b563aaff15d539458d9de376b6363
parent	c366a7b5ed7564e41345c380285bd3f6cb98971b (diff)
download	linux-e14622a7584f9608927c59a7d6ae4a0999dc545e.tar.xz