Re: [PATCH 2/2] procfs.c: Increasing array size

From: Alexey Khoroshilov
Date: Mon Jan 08 2024 - 12:39:18 EST

Next message: Alexey Khoroshilov: "Re: [PATCH] iphase: Adding a null pointer check"
Previous message: Conor Dooley: "Re: [PATCH v2 3/8] riscv: dts: thead: Add TH1520 pin control nodes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.

I would update subject and description like that:

paport: Fix potential buffer overflow in do_hardware_base_addr()

The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.

Otherwise, looks good to me.

Reviewed-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>

> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Andrey Shumilin <shum.sdl@xxxxxxxx>
> ---
> drivers/parport/procfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
> void *result, size_t *lenp, loff_t *ppos)
> {
> struct parport *port = (struct parport *)table->extra1;
> - char buffer[20];
> + char buffer[44];
> int len = 0;
>
> if (*ppos) {
>

Next message: Alexey Khoroshilov: "Re: [PATCH] iphase: Adding a null pointer check"
Previous message: Conor Dooley: "Re: [PATCH v2 3/8] riscv: dts: thead: Add TH1520 pin control nodes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]