[PATCH libgpiod 01/14] bindings: python: fix heap-buffer overflow bugs on setting/getting values

Linux-GPIO Archive mirror
 help / color / mirror / Atom feed

From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
To: Linus Walleij <linusw@kernel.org>,
	Bartosz Golaszewski <brgl@kernel.org>,
	Kent Gibson <warthog618@gmail.com>, 4fqr <4fqr@proton.me>,
	Vincent Fazio <vfazio@xes-inc.com>
Cc: linux-gpio@vger.kernel.org,
	Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Subject: [PATCH libgpiod 01/14] bindings: python: fix heap-buffer overflow bugs on setting/getting values
Date: Tue, 07 Apr 2026 14:49:52 +0200	[thread overview]
Message-ID: <20260407-treewide-fixes-v1-1-66c9744a56a3@oss.qualcomm.com> (raw)
In-Reply-To: <20260407-treewide-fixes-v1-0-66c9744a56a3@oss.qualcomm.com>

The C extension methods request_set_values() and request_get_values()
iterate over a caller-supplied sequence and write offsets/values into
pre-allocated buffers self->offsets and self->values, without checking
the write index.

If the user tries to read values for more lines than they previously
requested, we overflow the buffers.

Add appropriate bounds checks and implement test cases for this issue.

Fixes: b7ba732e6a93 ("treewide: libgpiod v2 implementation")
Reported-by: 4fqr <4fqr@proton.me>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
---
 bindings/python/gpiod/ext/request.c         | 12 ++++++++++++
 bindings/python/tests/tests_line_request.py | 22 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/bindings/python/gpiod/ext/request.c b/bindings/python/gpiod/ext/request.c
index 997e6fcc65662f48b6767c89ec59cc12bc70b103..9acf828aec8c27cbed2767b76270e308b895147b 100644
--- a/bindings/python/gpiod/ext/request.c
+++ b/bindings/python/gpiod/ext/request.c
@@ -149,6 +149,12 @@ static PyObject *request_get_values(request_object *self, PyObject *args)
 	if (num_offsets < 0)
 		return NULL;
 
+	if (num_offsets > (Py_ssize_t)self->num_lines) {
+		PyErr_SetString(PyExc_ValueError,
+				"number of offsets exceeds the number of requested lines");
+		return NULL;
+	}
+
 	iter = PyObject_GetIter(offsets);
 	if (!iter)
 		return NULL;
@@ -212,6 +218,12 @@ static PyObject *request_set_values(request_object *self, PyObject *args)
 	if (!ret)
 		return NULL;
 
+	if (PyObject_Size(values) > (Py_ssize_t)self->num_lines) {
+		PyErr_SetString(PyExc_ValueError,
+				"number of offsets exceeds the number of requested lines");
+		return NULL;
+	}
+
 	clear_buffers(self);
 
 	/* Note: pos may not be contiguous. */
diff --git a/bindings/python/tests/tests_line_request.py b/bindings/python/tests/tests_line_request.py
index 8cb0f2c05d916f0641769b8c386d2a6e708896e3..bc85eba0ba358c39fbaca6677739e02ea7cc4fcd 100644
--- a/bindings/python/tests/tests_line_request.py
+++ b/bindings/python/tests/tests_line_request.py
@@ -676,6 +676,28 @@ class LineRequestSurvivesParentChip(TestCase):
         req.release()
 
 
+class UsingMoreLinesThanRequestedNotAllowed(TestCase):
+    def setUp(self) -> None:
+        self.sim = gpiosim.Chip(num_lines=4)
+
+    def tearDown(self) -> None:
+        del self.sim
+
+    def test_line_get_more_values_than_requested_lines(self) -> None:
+        with gpiod.request_lines(
+            self.sim.dev_path, config={0: gpiod.LineSettings(direction=Direction.INPUT)}
+        ) as req:
+            with self.assertRaises(ValueError):
+                req.get_values(list(range(64)))
+
+    def test_line_set_more_values_than_requested_lines(self) -> None:
+        with gpiod.request_lines(
+            self.sim.dev_path, config={0: gpiod.LineSettings(direction=Direction.OUTPUT)}
+        ) as req:
+            with self.assertRaises(ValueError):
+                req.set_values({i: Value.ACTIVE for i in range(64)})
+
+
 class LineRequestStringRepresentation(TestCase):
     def setUp(self) -> None:
         self.sim = gpiosim.Chip(num_lines=8)

-- 
2.47.3

next prev parent reply	other threads:[~2026-04-07 12:51 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-07 12:49 [PATCH libgpiod 00/14] libgpiod: assortment of fixes Bartosz Golaszewski
2026-04-07 12:49 ` Bartosz Golaszewski [this message]
2026-04-07 12:49 ` [PATCH libgpiod 02/14] bindings: python: remove duplicated edge detection setting Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 03/14] core: fix 1-byte buffer over-read bugs in gpiod_chip_info_from_uapi() Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 04/14] core: fix parameter type in gpiod_line_mask_test_bit() Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 05/14] core: store debounce_period_us with correct type Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 06/14] core: check the value of num_lines returned by the kernel Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 07/14] tools: reject "u" as period unit specifier Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 08/14] tools: fix an integer overflow bug in parse_period() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 09/14] tools: gpionotify: fix memory leak on every event read Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 10/14] tools: gpionotify: add the missing return value check for calloc() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 11/14] tools: gpionotify: free pollfds on exit() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 12/14] tools: gpionotify: don't leak info returned by gpiod_chip_watch_line_info() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 13/14] tools: gpioinfo: use correct function to free the resolver Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 14/14] dbus: manager: use the correct loop counter in error path Bartosz Golaszewski
2026-04-08 11:45 ` [PATCH libgpiod 00/14] libgpiod: assortment of fixes Vincent Fazio
2026-04-08 16:03 ` Vincent Fazio
2026-04-08 16:20   ` 4fqr
2026-04-09  7:32 ` Bartosz Golaszewski

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:997e6fcc65662f48b6767c89ec59cc12bc70b10
dfblob:9acf828aec8c27cbed2767b76270e308b895147
dfblob:8cb0f2c05d916f0641769b8c386d2a6e708896e
dfblob:bc85eba0ba358c39fbaca6677739e02ea7cc4fc )
 OR (
bs:"[PATCH libgpiod 01/14] bindings: python: fix heap-buffer overflow bugs on setting/getting values" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260407-treewide-fixes-v1-1-66c9744a56a3@oss.qualcomm.com \
    --to=bartosz.golaszewski@oss.qualcomm.com \
    --cc=4fqr@proton.me \
    --cc=brgl@kernel.org \
    --cc=linusw@kernel.org \
    --cc=linux-gpio@vger.kernel.org \
    --cc=vfazio@xes-inc.com \
    --cc=warthog618@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).