|
| 1 | +dev/parport: fix the array out-of-bounds risk |
| 2 | + |
| 3 | +jira LE-3201 |
| 4 | +cve CVE-2024-42301 |
| 5 | +Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10 |
| 6 | +commit-author tuhaowen < [email protected]> |
| 7 | +commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5 |
| 8 | +Empty-Commit: Cherry-Pick Conflicts during history rebuild. |
| 9 | +Will be included in final tarball splat. Ref for failed cherry-pick at: |
| 10 | +ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/ab11dac9.failed |
| 11 | + |
| 12 | +Fixed array out-of-bounds issues caused by sprintf |
| 13 | +by replacing it with snprintf for safer data copying, |
| 14 | +ensuring the destination buffer is not overflowed. |
| 15 | + |
| 16 | +Below is the stack trace I encountered during the actual issue: |
| 17 | + |
| 18 | +[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: |
| 19 | +Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] |
| 20 | +[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: |
| 21 | +QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 |
| 22 | +[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp |
| 23 | +[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun |
| 24 | +PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 |
| 25 | +[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: |
| 26 | +[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 |
| 27 | +[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 |
| 28 | +[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c |
| 29 | +[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc |
| 30 | +[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 |
| 31 | +[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] |
| 32 | + |
| 33 | + Signed-off-by: tuhaowen < [email protected]> |
| 34 | + |
| 35 | +Link: https://lore.kernel.org/r/ [email protected] |
| 36 | + Signed-off-by: Greg Kroah-Hartman < [email protected]> |
| 37 | +(cherry picked from commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5) |
| 38 | + Signed-off-by: Jonathan Maple < [email protected]> |
| 39 | + |
| 40 | +# Conflicts: |
| 41 | +# drivers/parport/procfs.c |
| 42 | +diff --cc drivers/parport/procfs.c |
| 43 | +index 48804049d697,c2e371c50dcf..000000000000 |
| 44 | +--- a/drivers/parport/procfs.c |
| 45 | ++++ b/drivers/parport/procfs.c |
| 46 | +@@@ -113,11 -114,10 +113,11 @@@ static int do_autoprobe(struct ctl_tabl |
| 47 | + #endif /* IEEE1284.3 support. */ |
| 48 | + |
| 49 | + static int do_hardware_base_addr(struct ctl_table *table, int write, |
| 50 | + - void *result, size_t *lenp, loff_t *ppos) |
| 51 | + + void __user *result, |
| 52 | + + size_t *lenp, loff_t *ppos) |
| 53 | + { |
| 54 | + struct parport *port = (struct parport *)table->extra1; |
| 55 | +- char buffer[20]; |
| 56 | ++ char buffer[64]; |
| 57 | + int len = 0; |
| 58 | + |
| 59 | + if (*ppos) { |
| 60 | +@@@ -213,7 -210,11 +213,15 @@@ static int do_hardware_modes(struct ctl |
| 61 | + return -EACCES; |
| 62 | + |
| 63 | + { |
| 64 | +++<<<<<<< HEAD |
| 65 | + +#define printmode(x) {if(port->modes&PARPORT_MODE_##x){len+=sprintf(buffer+len,"%s%s",f?",":"",#x);f++;}} |
| 66 | +++======= |
| 67 | ++ #define printmode(x) \ |
| 68 | ++ do { \ |
| 69 | ++ if (port->modes & PARPORT_MODE_##x) \ |
| 70 | ++ len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ |
| 71 | ++ } while (0) |
| 72 | +++>>>>>>> ab11dac93d2d (dev/parport: fix the array out-of-bounds risk) |
| 73 | + int f = 0; |
| 74 | + printmode(PCSPP); |
| 75 | + printmode(TRISTATE); |
| 76 | +* Unmerged path drivers/parport/procfs.c |
0 commit comments