From 3caaca33507bbd49e04e7798fba93d0946f0127e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Apr 2024 10:57:55 +0200 Subject: [PATCH] 6.7-stable patches added patches: staging-vc04_services-changen-strncpy-to-strscpy_pad.patch staging-vc04_services-fix-information-leak-in-create_component.patch --- queue-6.7/series | 2 + ...vices-changen-strncpy-to-strscpy_pad.patch | 42 +++++++++++++++++++ ...information-leak-in-create_component.patch | 33 +++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 queue-6.7/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch create mode 100644 queue-6.7/staging-vc04_services-fix-information-leak-in-create_component.patch diff --git a/queue-6.7/series b/queue-6.7/series index eef48421b80..cf20cba1adb 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -390,3 +390,5 @@ scsi-ufs-qcom-provide-default-cycles_in_1us-value.patch scsi-sd-fix-tcg-opal-unlock-on-system-resume.patch scsi-sg-avoid-sg-device-teardown-race.patch scsi-core-fix-unremoved-procfs-host-directory-regression.patch +staging-vc04_services-changen-strncpy-to-strscpy_pad.patch +staging-vc04_services-fix-information-leak-in-create_component.patch diff --git a/queue-6.7/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch b/queue-6.7/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch new file mode 100644 index 00000000000..0e7128e6eb8 --- /dev/null +++ b/queue-6.7/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch @@ -0,0 +1,42 @@ +From ef25725b7f8aaffd7756974d3246ec44fae0a5cf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 13 Mar 2024 17:36:56 +0100 +Subject: staging: vc04_services: changen strncpy() to strscpy_pad() + +From: Arnd Bergmann + +commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf upstream. + +gcc-14 warns about this strncpy() that results in a non-terminated +string for an overflow: + +In file included from include/linux/string.h:369, + from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20: +In function 'strncpy', + inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2: +include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation] + +Change it to strscpy_pad(), which produces a properly terminated and +zero-padded string. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c +@@ -937,8 +937,8 @@ static int create_component(struct vchiq + /* build component create message */ + m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE; + m.u.component_create.client_component = component->client_component; +- strncpy(m.u.component_create.name, name, +- sizeof(m.u.component_create.name)); ++ strscpy_pad(m.u.component_create.name, name, ++ sizeof(m.u.component_create.name)); + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), diff --git a/queue-6.7/staging-vc04_services-fix-information-leak-in-create_component.patch b/queue-6.7/staging-vc04_services-fix-information-leak-in-create_component.patch new file mode 100644 index 00000000000..2901b709f52 --- /dev/null +++ b/queue-6.7/staging-vc04_services-fix-information-leak-in-create_component.patch @@ -0,0 +1,33 @@ +From f37e76abd614b68987abc8e5c22d986013349771 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 Mar 2024 21:07:43 +0300 +Subject: staging: vc04_services: fix information leak in create_component() + +From: Dan Carpenter + +commit f37e76abd614b68987abc8e5c22d986013349771 upstream. + +The m.u.component_create.pid field is for debugging and in the mainline +kernel it's not used anything. However, it still needs to be set to +something to prevent disclosing uninitialized stack data. Set it to +zero. + +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c +@@ -939,6 +939,7 @@ static int create_component(struct vchiq + m.u.component_create.client_component = component->client_component; + strscpy_pad(m.u.component_create.name, name, + sizeof(m.u.component_create.name)); ++ m.u.component_create.pid = 0; + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), -- 2.39.5