From nobody Thu Dec 18 10:36:18 2025
Received: from smtpbgsg1.qq.com (smtpbgsg1.qq.com [54.254.200.92])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3F6822086
	for <linux-kernel@vger.kernel.org>; Mon,  8 Jul 2024 08:05:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=54.254.200.92
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1720425940; cv=none;
 b=LqAEAGAod+r3IFah8TDm5CW0y9iKWQltTuPPM0tBqBCBtYathlJ17ikMidA6S5RjDhm1BA96QGalyPAjyWRwDij6gKKNjISLcI2rQZFlqbrOD4hbpAhuJxPKT6GmOELiv+NcjybjIqh61X3RB5jvfYws+s2XAi5Wu5/N7QXPvPs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1720425940; c=relaxed/simple;
	bh=k6mNQUCpF4Qz1sq9oT3OR4ETJ182daDc+9X0vieWYwE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bsh7z3j24ZObNc10MrLHyzLy/8Ij7gtA98srWX96DMfowVPl1AopEw3NapMuks3vW79obHU68zYFpvLmx8sFeralMfXaxpsEfPB04AlWHq6Vp1Pbxyqaa0gOGTR6hXF1nmjde+jjyoKPVY/jSpBj0za/yqQQPZNWEGELukkdS+8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=uniontech.com;
 spf=pass smtp.mailfrom=uniontech.com; arc=none smtp.client-ip=54.254.200.92
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=uniontech.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=uniontech.com
X-QQ-mid: bizesmtpsz5t1720425874t3q8pg0
X-QQ-Originating-IP: ZnVcAnGJKStHEky1gc++tWSUaLvH5mmJxdMrsXMmIRE=
Received: from localhost.localdomain ( [113.57.152.160])
	by bizesmtp.qq.com (ESMTP) with
	id ; Mon, 08 Jul 2024 16:04:32 +0800 (CST)
X-QQ-SSF: 0000000000000000000000000000000
X-QQ-GoodBg: 1
X-BIZMAIL-ID: 647173472075735977
From: tuhaowen <tuhaowen@uniontech.com>
To: gregkh@linuxfoundation.org
Cc: alexander.deucher@amd.com,
	huangbibo@uniontech.com,
	linux-kernel@vger.kernel.org,
	sudipm.mukherjee@gmail.com,
	tuhaowen@uniontech.com,
	wangyuli@uniontech.com
Subject: [PATCH v2] dev/parport: fix the array out-of-bounds risk
Date: Mon,  8 Jul 2024 16:04:30 +0800
Message-Id: <20240708080430.8221-1-tuhaowen@uniontech.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <2024070820-corncob-kelp-f50c@gregkh>
References: <2024070820-corncob-kelp-f50c@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-QQ-SENDSIZE: 520
Feedback-ID: bizesmtpsz:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1
Content-Type: text/plain; charset="utf-8"

Fixed array out-of-bounds issues caused by sprintf
by replacing it with snprintf for safer data copying,
ensuring the destination buffer is not overflowed.

Below is the stack trace I encountered during the actual issue:

[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-pr=
otector:
Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]
[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:
QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2
[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp
[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun
PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024
[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:
[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0
[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20
[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c
[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc
[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38
[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [pa=
rport]

Signed-off-by: tuhaowen <tuhaowen@uniontech.com>
---
Changes in v2:
- Replaced `sprintf` with `snprintf` to prevent array out-of-bounds issues.
- Link to v1: https://lore.kernel.org/all/20240626021136.12282-1-tuhaowen@u=
niontech.com
---
 drivers/parport/procfs.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
index bd388560ed59..c2e371c50dcf 100644
--- a/drivers/parport/procfs.c
+++ b/drivers/parport/procfs.c
@@ -51,12 +51,12 @@ static int do_active_device(struct ctl_table *table, in=
t write,
 =09
 	for (dev =3D port->devices; dev ; dev =3D dev->next) {
 		if(dev =3D=3D port->cad) {
-			len +=3D sprintf(buffer, "%s\n", dev->name);
+			len +=3D snprintf(buffer, sizeof(buffer), "%s\n", dev->name);
 		}
 	}
=20
 	if(!len) {
-		len +=3D sprintf(buffer, "%s\n", "none");
+		len +=3D snprintf(buffer, sizeof(buffer), "%s\n", "none");
 	}
=20
 	if (len > *lenp)
@@ -87,19 +87,19 @@ static int do_autoprobe(struct ctl_table *table, int wr=
ite,
 	}
 =09
 	if ((str =3D info->class_name) !=3D NULL)
-		len +=3D sprintf (buffer + len, "CLASS:%s;\n", str);
+		len +=3D snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", st=
r);
=20
 	if ((str =3D info->model) !=3D NULL)
-		len +=3D sprintf (buffer + len, "MODEL:%s;\n", str);
+		len +=3D snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", st=
r);
=20
 	if ((str =3D info->mfr) !=3D NULL)
-		len +=3D sprintf (buffer + len, "MANUFACTURER:%s;\n", str);
+		len +=3D snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;=
\n", str);
=20
 	if ((str =3D info->description) !=3D NULL)
-		len +=3D sprintf (buffer + len, "DESCRIPTION:%s;\n", str);
+		len +=3D snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\=
n", str);
=20
 	if ((str =3D info->cmdset) !=3D NULL)
-		len +=3D sprintf (buffer + len, "COMMAND SET:%s;\n", str);
+		len +=3D snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\=
n", str);
=20
 	if (len > *lenp)
 		len =3D *lenp;
@@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *tabl=
e, int write,
 				 void *result, size_t *lenp, loff_t *ppos)
 {
 	struct parport *port =3D (struct parport *)table->extra1;
-	char buffer[20];
+	char buffer[64];
 	int len =3D 0;
=20
 	if (*ppos) {
@@ -128,7 +128,7 @@ static int do_hardware_base_addr(struct ctl_table *tabl=
e, int write,
 	if (write) /* permissions prevent this anyway */
 		return -EACCES;
=20
-	len +=3D sprintf (buffer, "%lu\t%lu\n", port->base, port->base_hi);
+	len +=3D snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port=
->base_hi);
=20
 	if (len > *lenp)
 		len =3D *lenp;
@@ -155,7 +155,7 @@ static int do_hardware_irq(struct ctl_table *table, int=
 write,
 	if (write) /* permissions prevent this anyway */
 		return -EACCES;
=20
-	len +=3D sprintf (buffer, "%d\n", port->irq);
+	len +=3D snprintf (buffer, sizeof(buffer), "%d\n", port->irq);
=20
 	if (len > *lenp)
 		len =3D *lenp;
@@ -182,7 +182,7 @@ static int do_hardware_dma(struct ctl_table *table, int=
 write,
 	if (write) /* permissions prevent this anyway */
 		return -EACCES;
=20
-	len +=3D sprintf (buffer, "%d\n", port->dma);
+	len +=3D snprintf (buffer, sizeof(buffer), "%d\n", port->dma);
=20
 	if (len > *lenp)
 		len =3D *lenp;
@@ -213,7 +213,7 @@ static int do_hardware_modes(struct ctl_table *table, i=
nt write,
 #define printmode(x)							\
 do {									\
 	if (port->modes & PARPORT_MODE_##x)				\
-		len +=3D sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \
+		len +=3D snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," =
: "", #x); \
 } while (0)
 		int f =3D 0;
 		printmode(PCSPP);
--=20
2.20.1