| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Jan 2024 19:56:44 +0300
From: Alexey Khoroshilov <khoroshilov@...ras.ru>
To: Andrey Shumilin <shum.sdl@...ct.ru>,
Sudip Mukherjee <sudipm.mukherjee@...il.com>
Cc: linux-kernel@...r.kernel.org,
"lvc-project@...uxtesting.org" <lvc-project@...uxtesting.org>
Subject: Re: [PATCH 2/2] procfs.c: Increasing array size
On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.
I would update subject and description like that:
paport: Fix potential buffer overflow in do_hardware_base_addr()
The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.
Otherwise, looks good to me.
Reviewed-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Andrey Shumilin <shum.sdl@...ct.ru>
> ---
> drivers/parport/procfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
> void *result, size_t *lenp, loff_t *ppos)
> {
> struct parport *port = (struct parport *)table->extra1;
> - char buffer[20];
> + char buffer[44];
> int len = 0;
>
> if (*ppos) {
>
Powered by blists - more mailing lists