CVE-2026-45994

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command file write due to missing size checks

The command file write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get dot command size() and get dot command timeout().

Since both the allocation size (count) and the header fields (command size, data size) are independently user-controlled, an attacker can cause get dot command size() to return a value exceeding the allocation, triggering OOB reads in get dot command timeout() and an out-of-bounds memcpy toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct dot command header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command size + data size). This ensures all subsequent header and payload field accesses stay within the buffer.