2023-11-16 07:06:22

by Andrey Shumilin

[permalink] [raw]
Subject: [PATCH 2/2] procfs.c: Increasing array size

The maximum size in bytes of the port->base and port->base_hi
variables is 20 bytes per variable, since they are copied in
decimal notation. Two more characters are \t and \n.
A maximum of 42 bytes can be written to a buffer variable.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Andrey Shumilin <[email protected]>
---
drivers/parport/procfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
index bd388560ed59..9b894f7cb581 100644
--- a/drivers/parport/procfs.c
+++ b/drivers/parport/procfs.c
@@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
void *result, size_t *lenp, loff_t *ppos)
{
struct parport *port = (struct parport *)table->extra1;
- char buffer[20];
+ char buffer[44];
int len = 0;

if (*ppos) {
--
2.30.2


2024-01-08 17:39:25

by Alexey Khoroshilov

[permalink] [raw]
Subject: Re: [PATCH 2/2] procfs.c: Increasing array size

On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.

I would update subject and description like that:

paport: Fix potential buffer overflow in do_hardware_base_addr()

The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.


Otherwise, looks good to me.

Reviewed-by: Alexey Khoroshilov <[email protected]>


> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Andrey Shumilin <[email protected]>
> ---
> drivers/parport/procfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
> void *result, size_t *lenp, loff_t *ppos)
> {
> struct parport *port = (struct parport *)table->extra1;
> - char buffer[20];
> + char buffer[44];
> int len = 0;
>
> if (*ppos) {
>