Re: [PATCH] auxdisplay: line-display: fix OOB read on zero-length message_store()

Next message: James Clark: "Re: [PATCH v3] perf/core: Fix missing read event generation on task exit"
Previous message: Jianping Li: "[PATCH v5 0/5] misc: fastrpc: Add missing bug fixes"
In reply to: Andy Shevchenko: "Re: [PATCH] auxdisplay: line-display: fix OOB read on zero-length message_store()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stepan Ionichev

Date: Fri May 15 2026 - 09:02:53 EST

On Fri, May 15, 2026 at 10:12:26AM +0300, Andy Shevchenko wrote:
> Isn't it also triggerable when PANEL_BOOT_MESSAGE is left default
> with PANEL_CHANGE_MESSAGE="y"? (However these double quotes makes me
> wonder if this even works, as usually we compare symbols against plain
> 'n'. 'm', or 'y' (without any quotes).

Yes -- the same count guard also covers the init path: when
PANEL_BOOT_MESSAGE="" and PANEL_CHANGE_MESSAGE=y, linedisp_attach()
calls linedisp_display(linedisp, "", -1), so count = strlen("") = 0
and msg[-1] reads .rodata before the empty string literal. KASAN
catches it at boot. The patch covers both paths in one guard.

Re: depends on PANEL_CHANGE_MESSAGE="y" -- agreed, that looks odd.
Normally we'd just write "depends on PANEL_CHANGE_MESSAGE". I can
send a separate Kconfig patch if you'd like.

> In any case this seems a legit report, I will take the change.

Thanks for taking it.

Stepan