From 4b971ab14bacac1dea710d80845214252f13de0b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 7 May 2025 16:04:58 +0200 Subject: [PATCH] 5.10-stable patches added patches: of-module-add-buffer-overflow-check-in-of_modalias.patch --- ...buffer-overflow-check-in-of_modalias.patch | 46 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 47 insertions(+) create mode 100644 queue-5.10/of-module-add-buffer-overflow-check-in-of_modalias.patch diff --git a/queue-5.10/of-module-add-buffer-overflow-check-in-of_modalias.patch b/queue-5.10/of-module-add-buffer-overflow-check-in-of_modalias.patch new file mode 100644 index 0000000000..7b19b05bc4 --- /dev/null +++ b/queue-5.10/of-module-add-buffer-overflow-check-in-of_modalias.patch @@ -0,0 +1,46 @@ +From cf7385cb26ac4f0ee6c7385960525ad534323252 Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 14 Apr 2024 11:51:39 +0300 +Subject: of: module: add buffer overflow check in of_modalias() + +From: Sergey Shtylyov + +commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. + +In of_modalias(), if the buffer happens to be too small even for the 1st +snprintf() call, the len parameter will become negative and str parameter +(if not NULL initially) will point beyond the buffer's end. Add the buffer +overflow check after the 1st snprintf() call and fix such check after the +strlen() call (accounting for the terminating NUL char). + +Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru +Signed-off-by: Rob Herring +Signed-off-by: "Uwe Kleine-König" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/device.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -231,14 +231,15 @@ static ssize_t of_device_get_modalias(st + csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', + of_node_get_device_type(dev->of_node)); + tsize = csize; ++ if (csize >= len) ++ csize = len > 0 ? len - 1 : 0; + len -= csize; +- if (str) +- str += csize; ++ str += csize; + + of_property_for_each_string(dev->of_node, "compatible", p, compat) { + csize = strlen(compat) + 1; + tsize += csize; +- if (csize > len) ++ if (csize >= len) + continue; + + csize = snprintf(str, len, "C%s", compat); diff --git a/queue-5.10/series b/queue-5.10/series index bbe0ee96aa..4a636cbc7d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -27,3 +27,4 @@ nvme-tcp-fix-premature-queue-removal-and-i-o-failove.patch net-lan743x-fix-memleak-issue-when-gso-enabled.patch net-fec-err007885-workaround-for-conventional-tx.patch pci-imx6-skip-controller_id-generation-logic-for-i.mx7d.patch +of-module-add-buffer-overflow-check-in-of_modalias.patch -- 2.47.3