| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240617012118.27341-1-tuhaowen@uniontech.com>
Date: Mon, 17 Jun 2024 09:21:18 +0800
From: tuhaowen <tuhaowen@...ontech.com>
To: sudipm.mukherjee@...il.com
Cc: linux-kernel@...r.kernel.org,
huangbibo@...ontech.com,
wangyuli@...ontech.com,
tuhaowen <tuhaowen@...ontech.com>
Subject: [RESEND. PATCH] dev/parport: fix the array out-of-bounds risk
The array buffer size is 20 bytes.
When executing code in a 64-bit CPU environment, up to 42 bytes of
data will be written into this array
(the size of "%lu\t%lu\n" is 20 +1 + 20 + 1).
In fact, this line of code for 32-bit CPUs also has the risk of
crossing the boundary, but it can exceed 2 bytes at most. With good
luck, it is local variables that are damaged, and there are no serious
consequences.
Signed-off-by: tuhaowen <tuhaowen@...ontech.com>
---
drivers/parport/procfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
index bd388560ed59..9f501d5fa1ec 100644
--- a/drivers/parport/procfs.c
+++ b/drivers/parport/procfs.c
@@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
void *result, size_t *lenp, loff_t *ppos)
{
struct parport *port = (struct parport *)table->extra1;
- char buffer[20];
+ char buffer[64];
int len = 0;
if (*ppos) {
--
2.20.1
Powered by blists - more mailing lists