Hi,
Static analysis on linux-next today has found a potential buffer overflow in fs/btrfs/sysfs.c in function btrfs_read_policy_to_enum()
The strcpy to string param has no length checks on str and hence if str is longer than param a buffer overflow on the stack occurs. This can potentially occur when a user writes a long string to the btrfs sysfs file read_policy via btrfs_read_policy_store()
int btrfs_read_policy_to_enum(const char *str, s64 *value)
{
char param[32] = {'\0'};
char *__maybe_unused value_str;
int index;
bool found = false;
if (!str || strlen(str) == 0)
return 0;
strcpy(param, str); /* issue here */
....
}
Colin