[PATCH] dev/parport: fix the array out-of-bounds risk

From: tuhaowen
Date: Mon May 27 2024 - 03:24:31 EST

Next message: syzbot: "[syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync"
Previous message: Philipp Zabel: "Re: [PATCH 0/3] reset: Convert to platform remove callback returning void"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The array buffer size is 20 bytes.
When executing code in a 64-bit CPU environment, up to 42 bytes of
data will be written into this array
(the size of "%lu\t%lu\n" is 20 +1 + 20 + 1).

In fact, this line of code for 32-bit CPUs also has the risk of
crossing the boundary, but it can exceed 2 bytes at most. With good
luck, it is local variables that are damaged, and there are no serious
consequences.

Signed-off-by: tuhaowen <tuhaowen@xxxxxxxxxxxxx>
---
drivers/parport/procfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
index bd388560ed59..9f501d5fa1ec 100644
--- a/drivers/parport/procfs.c
+++ b/drivers/parport/procfs.c
@@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
void *result, size_t *lenp, loff_t *ppos)
{
struct parport *port = (struct parport *)table->extra1;
- char buffer[20];
+ char buffer[64];
int len = 0;

if (*ppos) {
--
2.20.1

Next message: syzbot: "[syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync"
Previous message: Philipp Zabel: "Re: [PATCH 0/3] reset: Convert to platform remove callback returning void"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]