Re: Re: [PATCH] dev/parport: fix the array out-of-bounds risk

[tuhaowen]

On Thu, Jul 04, 2024 at 06:07:47PM +0800, Greg Kroah-Hartman wrote:

> Usually because no one actually has this hardware anymore :)
> 
> Can you also properly test the buffer size when writing into it so that
> even if the math is incorrect, it will not overflow?


As of now, I have encountered these three devices: BUNET BU1L02,
EB-LINK EB-2C1B01, and SYBA FG-EMT03A-N. When these PCIe to parallel
port cards are installed, the system experiences abnormal reboots.
I am not sure if there are other devices with these issues.

Below is the stack trace I encountered during the actual issue:

[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:
Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]
[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:
QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2
[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp
[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun
PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024
[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:
[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0
[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20
[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c
[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc
[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38
[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]


The array buffer size is 20 bytes.
When executing code in a 64-bit CPU environment,
up to 44 bytes of data will be written into this array
(the size of "%lu\t%lu\n" is 21 + 1 + 21 + 1).

This modification will resolve the current issue without introducing new problems.

Thanks,

Haowen.Tu