| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7de29a8c-3325-4654-8afd-81f3f9a8d113@gmx.de>
Date: Thu, 14 Nov 2024 15:43:18 +0100
From: Helge Deller <deller@....de>
To: Suraj Sonawane <surajsonawane0215@...il.com>
Cc: linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] video: fbdev: metronomefb: Fix buffer overflow in
load_waveform()
On 11/12/24 21:28, Suraj Sonawane wrote:
> Fix an error detected by the Smatch tool:
>
> drivers/video/fbdev/metronomefb.c:220 load_waveform() error:
> buffer overflow 'wfm_hdr->stuff2a' 2 <= 4
> drivers/video/fbdev/metronomefb.c:220 load_waveform() error:
> buffer overflow 'wfm_hdr->stuff2a' 2 <= 4
>
> The access to wfm_hdr->stuff2a in the loop can lead to a buffer
> overflow if stuff2a is not large enough. To fix this, a check was
> added to ensure that stuff2a has sufficient space before accessing
> it. This prevents the overflow and improves the safety of the code.
>
> Signed-off-by: Suraj Sonawane <surajsonawane0215@...il.com>
> ---
> drivers/video/fbdev/metronomefb.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
> index 6f0942c6e..9da55cef2 100644
> --- a/drivers/video/fbdev/metronomefb.c
> +++ b/drivers/video/fbdev/metronomefb.c
> @@ -210,6 +210,12 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
> }
> wfm_hdr->mc += 1;
> wfm_hdr->trc += 1;
> +
> + if (sizeof(wfm_hdr->stuff2a) < 5) {
> + dev_err(dev, "Error: insufficient space in stuff2a\n");
> + return -EINVAL;
> + }
> +
> for (i = 0; i < 5; i++) {
> if (*(wfm_hdr->stuff2a + i) != 0) {
> dev_err(dev, "Error: unexpected value in padding\n");
That patch is completely wrong.
There is
/* the waveform structure that is coming from userspace firmware */
struct waveform_hdr {
....
u8 stuff2a[2];
u8 stuff2b[3];
So, I *believe* the for-next loop wants to walk acrosss stuff2a and stuff2b,
which have 5 entries together. So, basically the original code isn't nice
but still correct.
Your "sizeof()" check will always be false and is the wrong patch.
If at all, I think the stuff2a and stuff 2b arrays should be joined.
Something like
u8 stuff2[5]; /* this is actually 2-entry stuff2a and 3-entry stuff2b */
But again, I don't know much about this driver.
Helge
Powered by blists - more mailing lists