- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/3] *** fix CVE-2024-50009 ***
by Bowen You 25 Oct '24

25 Oct '24

*** BLURB HERE *** Anastasia Belova (1): cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value Dhananjay Ugwekar (1): cpufreq/amd-pstate: Add the missing cpufreq_cpu_put() Mario Limonciello (1): cpufreq/amd-pstate-ut: Don't check for highest perf matching on prefcore drivers/cpufreq/amd-pstate-ut.c | 13 ++++++++----- drivers/cpufreq/amd-pstate.c | 19 ++++++++++++++++--- 2 files changed, 24 insertions(+), 8 deletions(-) -- 2.34.1

2 4

[PATCH OLK-6.6] drm/amd/display: Fix index out of bounds in DCN30 color transformation
by Yu Kuai 25 Oct '24

25 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v6.6.55 commit 929506d5671419cffd8d01e9a7f5eae53682a838 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB2 CVE: CVE-2024-49969 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d81873f9e715b72d4f8d391c8eb243946f784dfc ] This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c index e0df9b0065f9..c210f672b99b 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c @@ -178,6 +178,8 @@ bool cm3_helper_translate_curve_to_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.39.2

2 1

[PATCH OLK-5.10] drm/amd/display: Fix index out of bounds in DCN30 color transformation
by Yu Kuai 25 Oct '24

25 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.227 commit 7ab69af56a23859b647dee69fa1052c689343621 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB2 CVE: CVE-2024-49969 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d81873f9e715b72d4f8d391c8eb243946f784dfc ] This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c index e0df9b0065f9..c210f672b99b 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c @@ -178,6 +178,8 @@ bool cm3_helper_translate_curve_to_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] hwmon: (coretemp) Check for null before removing sysfs attrs
by Yu Kuai 25 Oct '24

25 Oct '24

From: Phil Auld <pauld(a)redhat.com> stable inclusion from stable-v4.19.268 commit 280110db1a7d62ad635b103bafc3ae96e8bef75c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRET CVE: CVE-2022-49010 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] If coretemp_add_core() gets an error then pdata->core_data[indx] is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: error_code(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] [91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] [91855.871107] cpuhp_invoke_callback+0x105/0x4b0 [91855.893432] cpuhp_thread_fun+0x8e/0x150 ... Fix this by checking for NULL first. Signed-off-by: Phil Auld <pauld(a)redhat.com> Cc: linux-hwmon(a)vger.kernel.org Cc: Fenghua Yu <fenghua.yu(a)intel.com> Cc: Jean Delvare <jdelvare(a)suse.com> Cc: Guenter Roeck <linux(a)roeck-us.net> Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> --- drivers/hwmon/coretemp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c index 10645c9bb7be..74eb5d7a3227 100644 --- a/drivers/hwmon/coretemp.c +++ b/drivers/hwmon/coretemp.c @@ -532,6 +532,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) { struct temp_data *tdata = pdata->core_data[indx]; + /* if we errored on add then this is already gone */ + if (!tdata) + return; + /* Remove the sysfs attributes */ sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION fc5b1a61061cb6d640f3336024fb616182ef2614
by kernel test robot 25 Oct '24

25 Oct '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: fc5b1a61061cb6d640f3336024fb616182ef2614 !12353 ida: Fix crash in ida_free when the bitmap is empty Error/Warning (recently discovered and may have been fixed): https://lore.kernel.org/oe-kbuild-all/202410250017.rJYuRb99-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202410250213.xpJhjcfg-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202410251039.YhQeKMJn-lkp@intel.com arch/arm64/kernel/smp.c:1217:14: error: 'pmu_nmi_enable' undeclared (first use in this function); did you mean 'perf_pmu_enable'? drivers/clocksource/arm_arch_timer.c:554:44: error: 'hisi_161010101_read_cntvct_el0' undeclared (first use in this function) drivers/tty/tty_buffer.c:172:9: error: implicit declaration of function 'printk_safe_exit'; did you mean 'printk_safe_init'? [-Werror=implicit-function-declaration] Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allnoconfig | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- arm64-randconfig-001-20241025 | |-- arch-arm64-kernel-smp.c:error:pmu_nmi_enable-undeclared-(first-use-in-this-function) | `-- drivers-tty-tty_buffer.c:error:implicit-declaration-of-function-printk_safe_exit |-- arm64-randconfig-002-20241025 | |-- drivers-nvme-host-core.c:error:compat_uptr_t-undeclared-(first-use-in-this-function) | `-- drivers-nvme-host-core.c:error:expected-before-ptrval |-- arm64-randconfig-003-20241025 | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- arm64-randconfig-004-20241024 | |-- arch-arm64-kernel-smp.c:error:pmu_nmi_enable-undeclared-(first-use-in-this-function) | `-- drivers-clocksource-arm_arch_timer.c:error:hisi_161010101_read_cntvct_el0-undeclared-(first-use-in-this-function) |-- arm64-randconfig-004-20241025 | `-- drivers-clocksource-arm_arch_timer.c:error:hisi_161010101_read_cntvct_el0-undeclared-(first-use-in-this-function) |-- x86_64-allyesconfig | `-- drivers-net-ethernet-stmicro-stmmac-dwmac-phytium.c:error:incompatible-pointer-to-integer-conversion-returning-void-from-a-function-with-result-type-int |-- x86_64-buildonly-randconfig-003-20241025 | |-- arch-x86-events-zhaoxin-core.c:error:redefinition-of-zhaoxin_pmu_init | |-- arch-x86-kernel-cpu-mce-therm_throt.o:warning:objtool:missing-symbol-for-section-.irqentry.text | |-- drivers-gpio-gpio-hisi.o:warning:objtool:missing-symbol-for-section-.init.text | `-- drivers-platform-x86-intel_atomisp2_pm.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-004-20241025 | |-- ld.lld:error:undefined-symbol:__alloc_skb | |-- ld.lld:error:undefined-symbol:__netlink_kernel_create | |-- ld.lld:error:undefined-symbol:__nlmsg_put | |-- ld.lld:error:undefined-symbol:init_net | |-- ld.lld:error:undefined-symbol:kfree_skb | |-- ld.lld:error:undefined-symbol:netlink_broadcast | `-- ld.lld:error:undefined-symbol:netlink_kernel_release |-- x86_64-buildonly-randconfig-005-20241025 | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity-Werror-Wimplicit-function-declaration | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains-Werror-Wimplicit-function-declaration | `-- kernel-sched-core.c:error:use-of-undeclared-identifier-root_task_group |-- x86_64-buildonly-randconfig-006-20241025 | |-- arch-x86-events-zhaoxin-core.c:error:redefinition-of-zhaoxin_pmu_init | `-- drivers-tty-tty_buffer.c:error:implicit-declaration-of-function-printk_safe_exit `-- x86_64-randconfig-161-20241025 `-- arch-x86-events-zhaoxin-core.c:error:redefinition-of-zhaoxin_pmu_init elapsed time: 1101m configs tested: 20 configs skipped: 138 tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20241025 gcc-14.1.0 arm64 randconfig-002-20241025 gcc-14.1.0 arm64 randconfig-003-20241025 gcc-14.1.0 arm64 randconfig-004-20241025 gcc-14.1.0 x86_64 allnoconfig clang-19 x86_64 allyesconfig clang-19 x86_64 buildonly-randconfig-001-20241025 clang-19 x86_64 buildonly-randconfig-002-20241025 gcc-12 x86_64 buildonly-randconfig-003-20241025 clang-19 x86_64 buildonly-randconfig-004-20241025 clang-19 x86_64 buildonly-randconfig-005-20241025 clang-19 x86_64 buildonly-randconfig-006-20241025 gcc-12 x86_64 defconfig gcc-11 x86_64 kexec clang-19 x86_64 randconfig-001-20241025 clang-19 x86_64 randconfig-002-20241025 clang-19 x86_64 rhel-8.3 gcc-12 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/1] CVE-2024-35964
by Yongqiang Liu 25 Oct '24

25 Oct '24

Luiz Augusto von Dentz (1): Bluetooth: ISO: Fix not validating setsockopt user input net/bluetooth/iso.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) -- 2.25.1

2 2

[PATCH OLK-5.10] dev/parport: fix the array out-of-bounds risk
by dinglongwei 25 Oct '24

25 Oct '24

From: tuhaowen <tuhaowen(a)uniontech.com> stable inclusion from stable-v5.10.224 commit a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQAA CVE: CVE-2024-42301 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5 upstream. Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] Signed-off-by: tuhaowen <tuhaowen(a)uniontech.com> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20240708080430.8221-1-tuhaowen@uniontech.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- drivers/parport/procfs.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c index d740eba3c099..8400a379186e 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -51,12 +51,12 @@ static int do_active_device(struct ctl_table *table, int write, for (dev = port->devices; dev ; dev = dev->next) { if(dev == port->cad) { - len += sprintf(buffer, "%s\n", dev->name); + len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); } } if(!len) { - len += sprintf(buffer, "%s\n", "none"); + len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); } if (len > *lenp) @@ -87,19 +87,19 @@ static int do_autoprobe(struct ctl_table *table, int write, } if ((str = info->class_name) != NULL) - len += sprintf (buffer + len, "CLASS:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); if ((str = info->model) != NULL) - len += sprintf (buffer + len, "MODEL:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); if ((str = info->mfr) != NULL) - len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); if ((str = info->description) != NULL) - len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); if ((str = info->cmdset) != NULL) - len += sprintf (buffer + len, "COMMAND SET:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); if (len > *lenp) len = *lenp; @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, void *result, size_t *lenp, loff_t *ppos) { struct parport *port = (struct parport *)table->extra1; - char buffer[20]; + char buffer[64]; int len = 0; if (*ppos) { @@ -128,7 +128,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%lu\t%lu\n", port->base, port->base_hi); + len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); if (len > *lenp) len = *lenp; @@ -155,7 +155,7 @@ static int do_hardware_irq(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->irq); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); if (len > *lenp) len = *lenp; @@ -182,7 +182,7 @@ static int do_hardware_dma(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->dma); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); if (len > *lenp) len = *lenp; @@ -213,7 +213,7 @@ static int do_hardware_modes(struct ctl_table *table, int write, #define printmode(x) \ do { \ if (port->modes & PARPORT_MODE_##x) \ - len += sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \ + len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ } while (0) int f = 0; printmode(PCSPP); -- 2.17.1

2 1

[PATCH OLK-6.6 0/1] CVE-2024-35949
by Yongqiang Liu 25 Oct '24

25 Oct '24

Josef Bacik (1): btrfs: make sure that WRITTEN is set on all metadata blocks fs/btrfs/tree-checker.c | 30 +++++++++++++++--------------- fs/btrfs/tree-checker.h | 1 + 2 files changed, 16 insertions(+), 15 deletions(-) -- 2.25.1

2 2

[PATCH OLK-5.10 0/1] CVE-2024-43894
by Yongqiang Liu 25 Oct '24

25 Oct '24

Ma Ke (1): drm/client: fix null pointer dereference in drm_client_modeset_probe drivers/gpu/drm/drm_client_modeset.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.25.1

2 6

[PATCH openEuler-22.03-LTS-SP1] dev/parport: fix the array out-of-bounds risk
by dinglongwei 25 Oct '24

25 Oct '24

From: tuhaowen <tuhaowen(a)uniontech.com> stable inclusion from stable-v5.10.224 commit a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQAA CVE: CVE-2024-42301 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5 upstream. Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] Signed-off-by: tuhaowen <tuhaowen(a)uniontech.com> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20240708080430.8221-1-tuhaowen@uniontech.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- drivers/parport/procfs.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c index d740eba3c099..8400a379186e 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -51,12 +51,12 @@ static int do_active_device(struct ctl_table *table, int write, for (dev = port->devices; dev ; dev = dev->next) { if(dev == port->cad) { - len += sprintf(buffer, "%s\n", dev->name); + len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); } } if(!len) { - len += sprintf(buffer, "%s\n", "none"); + len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); } if (len > *lenp) @@ -87,19 +87,19 @@ static int do_autoprobe(struct ctl_table *table, int write, } if ((str = info->class_name) != NULL) - len += sprintf (buffer + len, "CLASS:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); if ((str = info->model) != NULL) - len += sprintf (buffer + len, "MODEL:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); if ((str = info->mfr) != NULL) - len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); if ((str = info->description) != NULL) - len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); if ((str = info->cmdset) != NULL) - len += sprintf (buffer + len, "COMMAND SET:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); if (len > *lenp) len = *lenp; @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, void *result, size_t *lenp, loff_t *ppos) { struct parport *port = (struct parport *)table->extra1; - char buffer[20]; + char buffer[64]; int len = 0; if (*ppos) { @@ -128,7 +128,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%lu\t%lu\n", port->base, port->base_hi); + len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); if (len > *lenp) len = *lenp; @@ -155,7 +155,7 @@ static int do_hardware_irq(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->irq); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); if (len > *lenp) len = *lenp; @@ -182,7 +182,7 @@ static int do_hardware_dma(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->dma); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); if (len > *lenp) len = *lenp; @@ -213,7 +213,7 @@ static int do_hardware_modes(struct ctl_table *table, int write, #define printmode(x) \ do { \ if (port->modes & PARPORT_MODE_##x) \ - len += sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \ + len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ } while (0) int f = 0; printmode(PCSPP); -- 2.17.1

2 1

2024

2023

2022

2021

2020

2019

Kernel