From: Greg Kroah-Hartman Date: Sat, 25 May 2024 15:01:19 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.9.3~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0123f0848d2f317de826616cf20026330759e862;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: speakup-fix-sizeof-vs-array_size-bug.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index ae483180dca..9331c92af95 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,2 @@ tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch +speakup-fix-sizeof-vs-array_size-bug.patch diff --git a/queue-5.10/speakup-fix-sizeof-vs-array_size-bug.patch b/queue-5.10/speakup-fix-sizeof-vs-array_size-bug.patch new file mode 100644 index 00000000000..9ebd394c70a --- /dev/null +++ b/queue-5.10/speakup-fix-sizeof-vs-array_size-bug.patch @@ -0,0 +1,34 @@ +From 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 15 Apr 2024 14:02:23 +0300 +Subject: speakup: Fix sizeof() vs ARRAY_SIZE() bug + +From: Dan Carpenter + +commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream. + +The "buf" pointer is an array of u16 values. This code should be +using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), +otherwise it can the still got out of bounds. + +Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Reviewed-by: Samuel Thibault +Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accessibility/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accessibility/speakup/main.c ++++ b/drivers/accessibility/speakup/main.c +@@ -576,7 +576,7 @@ static u_long get_word(struct vc_data *v + } + attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); + buf[cnt++] = attr_ch; +- while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { ++ while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) { + tmp_pos += 2; + tmpx++; + ch = get_char(vc, (u_short *)tmp_pos, &temp);