From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
To: Linus Walleij <linusw@kernel.org>,
Bartosz Golaszewski <brgl@kernel.org>,
Kent Gibson <warthog618@gmail.com>, 4fqr <4fqr@proton.me>,
Vincent Fazio <vfazio@xes-inc.com>
Cc: linux-gpio@vger.kernel.org,
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Subject: [PATCH libgpiod 06/14] core: check the value of num_lines returned by the kernel
Date: Tue, 07 Apr 2026 14:49:57 +0200 [thread overview]
Message-ID: <20260407-treewide-fixes-v1-6-66c9744a56a3@oss.qualcomm.com> (raw)
In-Reply-To: <20260407-treewide-fixes-v1-0-66c9744a56a3@oss.qualcomm.com>
gpiod_line_request_from_uapi() initializes a line request from the kernel
ioctl() response but trusts that num_lines in struct gpio_v2_line_request
will not be greater than 64. If the kernel or a malicious kernel module
returns num_lines > 64, the memcpy() overflows the fixed-size offsets
array. Add a local check in the library.
Fixes: b7ba732e6a93 ("treewide: libgpiod v2 implementation")
Reported-by: 4fqr <4fqr@proton.me>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
---
lib/line-request.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/line-request.c b/lib/line-request.c
index b76b3d72b79ffe60be0dd2fdf28c6e7de35f77d7..2d41d96aeffed731b5039565672ebf894317a2a7 100644
--- a/lib/line-request.c
+++ b/lib/line-request.c
@@ -24,6 +24,11 @@ gpiod_line_request_from_uapi(struct gpio_v2_line_request *uapi_req,
{
struct gpiod_line_request *request;
+ if (uapi_req->num_lines > GPIO_V2_LINES_MAX) {
+ errno = EINVAL;
+ return NULL;
+ }
+
request = malloc(sizeof(*request));
if (!request)
return NULL;
--
2.47.3
next prev parent reply other threads:[~2026-04-07 12:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 12:49 [PATCH libgpiod 00/14] libgpiod: assortment of fixes Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 01/14] bindings: python: fix heap-buffer overflow bugs on setting/getting values Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 02/14] bindings: python: remove duplicated edge detection setting Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 03/14] core: fix 1-byte buffer over-read bugs in gpiod_chip_info_from_uapi() Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 04/14] core: fix parameter type in gpiod_line_mask_test_bit() Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 05/14] core: store debounce_period_us with correct type Bartosz Golaszewski
2026-04-07 12:49 ` Bartosz Golaszewski [this message]
2026-04-07 12:49 ` [PATCH libgpiod 07/14] tools: reject "u" as period unit specifier Bartosz Golaszewski
2026-04-07 12:49 ` [PATCH libgpiod 08/14] tools: fix an integer overflow bug in parse_period() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 09/14] tools: gpionotify: fix memory leak on every event read Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 10/14] tools: gpionotify: add the missing return value check for calloc() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 11/14] tools: gpionotify: free pollfds on exit() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 12/14] tools: gpionotify: don't leak info returned by gpiod_chip_watch_line_info() Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 13/14] tools: gpioinfo: use correct function to free the resolver Bartosz Golaszewski
2026-04-07 12:50 ` [PATCH libgpiod 14/14] dbus: manager: use the correct loop counter in error path Bartosz Golaszewski
2026-04-08 11:45 ` [PATCH libgpiod 00/14] libgpiod: assortment of fixes Vincent Fazio
2026-04-08 16:03 ` Vincent Fazio
2026-04-08 16:20 ` 4fqr
2026-04-09 7:32 ` Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407-treewide-fixes-v1-6-66c9744a56a3@oss.qualcomm.com \
--to=bartosz.golaszewski@oss.qualcomm.com \
--cc=4fqr@proton.me \
--cc=brgl@kernel.org \
--cc=linusw@kernel.org \
--cc=linux-gpio@vger.kernel.org \
--cc=vfazio@xes-inc.com \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).