The function simple_write_to_buffer() doesn't add string termination
at the end of buf, we need to add it on our own if calling that
function to write the size of count chars to buf. This change refers
to the function tokenize_input() in debug.c and the function
sof_dfsentry_trace_filter_write() in trace.c.
We didn't find this potential issue in the past because sometimes we
are very lucky, we kzalloc the size of count buf, the kernel not only
returns a buf with buf[0 ... (count - 1)] = 0 but buf[count] = 0, with
this luck, this issue will not be exposed.
Fixes: 091c12e1f50c ("ASoC: SOF: debug: add new debugfs entries for IPC flood test")
Signed-off-by: Hui Wang <hui.wang@xxxxxxxxxxxxx>
---
sound/soc/sof/debug.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c
index 30213a1beaaa..edd4893119dd 100644
--- a/sound/soc/sof/debug.c
+++ b/sound/soc/sof/debug.c
@@ -352,9 +352,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer,
char *string;
int ret;
- string = kzalloc(count, GFP_KERNEL);
+ string = kzalloc(count+1, GFP_KERNEL);
if (!string)
return -ENOMEM;
+ string[count] = '\0';
size = simple_write_to_buffer(string, count, ppos, buffer, count);
ret = size;
--
2.25.1
