Re: CVE-2022-49267: mmc: core: use sysfs_emit() instead of sprintf()

Next message: Christian Brauner: "Re: [PATCH cgroup/for-7.0-fixes] selftests/cgroup: Don't test populated synchrony against task exit"
Previous message: Chen Ridong: "Re: [PATCH 5/8] mm/mglru: use a smaller batch for reclaim"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: CVE-2022-49267: mmc: core: use sysfs_emit() instead of sprintf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Siddh Raman Pant

Date: Tue Mar 24 2026 - 03:52:24 EST

On Wed, 26 Feb 2025 02:57:52 +0100, Greg Kroah-Hartman wrote:
> In the Linux kernel, the following vulnerability has been resolved:
>
> mmc: core: use sysfs_emit() instead of sprintf()
>
> sprintf() (still used in the MMC core for the sysfs output) is vulnerable
> to the buffer overflow. Use the new-fangled sysfs_emit() instead.
>
> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
> analysis tool.
>
> The Linux kernel CVE team has assigned CVE-2022-49267 to this issue.

What overflow does this actually fix? I think this is a defensive patch.

In fact, you asked the same question earlier during stable backport
which apparently got no reply:
https://lore.kernel.org/all/2025121205-wool-undesired-0609@gregkh/

Thanks,
Siddh

Attachment: signature.asc
Description: This is a digitally signed message part