From: Sergey Shtylyov <s.shtylyov@omp.ru> mainline inclusion from mainline-v6.9-rc3 commit a1aa5390cc912934fee76ce80af5f940452fa987 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8R CVE: CVE-2024-35878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@omp.ru Signed-off-by: Rob Herring <robh@kernel.org> Conflicts: drivers/of/device.c drivers/of/module.c [chenjun: context conflicts. of_modalias() is not extracted from of_device_get_modalias().] Signed-off-by: Chen Jun <chenjun102@huawei.com> --- drivers/of/device.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/of/device.c b/drivers/of/device.c index 93f08f18f6b3..0b1d317acb88 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -226,6 +226,14 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len if ((!dev) || (!dev->of_node)) return -ENODEV; + /* + * Prevent a kernel oops in vsnprintf() -- it only allows passing a + * NULL ptr when the length is also 0. Also filter out the negative + * lengths... + */ + if ((len > 0 && !str) || len < 0) + return -EINVAL; + /* Name & Type */ /* %p eats all alphanum characters, so %c must be used here */ csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', -- 2.17.1