[lvc-project] [PATCH 2/2] procfs.c: Increasing array size

Alexey Khoroshilov khoroshilov at ispras.ru
Mon Jan 8 19:56:44 MSK 2024


On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.

I would update subject and description like that:

paport: Fix potential buffer overflow in do_hardware_base_addr()

The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.


Otherwise, looks good to me.

Reviewed-by: Alexey Khoroshilov <khoroshilov at ispras.ru>


> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Andrey Shumilin <shum.sdl at nppct.ru>
> ---
>  drivers/parport/procfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
>  				 void *result, size_t *lenp, loff_t *ppos)
>  {
>  	struct parport *port = (struct parport *)table->extra1;
> -	char buffer[20];
> +	char buffer[44];
>  	int len = 0;
>  
>  	if (*ppos) {
> 




More information about the lvc-project mailing list