From: Greg Kroah-Hartman Date: Wed, 7 May 2025 14:05:08 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.182~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=49a8db767923af13cb191c9003b9b6951db01753;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: of-module-add-buffer-overflow-check-in-of_modalias.patch --- diff --git a/queue-5.15/of-module-add-buffer-overflow-check-in-of_modalias.patch b/queue-5.15/of-module-add-buffer-overflow-check-in-of_modalias.patch new file mode 100644 index 0000000000..92ea8f9336 --- /dev/null +++ b/queue-5.15/of-module-add-buffer-overflow-check-in-of_modalias.patch @@ -0,0 +1,46 @@ +From cf7385cb26ac4f0ee6c7385960525ad534323252 Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 14 Apr 2024 11:51:39 +0300 +Subject: of: module: add buffer overflow check in of_modalias() + +From: Sergey Shtylyov + +commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. + +In of_modalias(), if the buffer happens to be too small even for the 1st +snprintf() call, the len parameter will become negative and str parameter +(if not NULL initially) will point beyond the buffer's end. Add the buffer +overflow check after the 1st snprintf() call and fix such check after the +strlen() call (accounting for the terminating NUL char). + +Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru +Signed-off-by: Rob Herring +Signed-off-by: "Uwe Kleine-König" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/device.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -257,14 +257,15 @@ static ssize_t of_device_get_modalias(st + csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', + of_node_get_device_type(dev->of_node)); + tsize = csize; ++ if (csize >= len) ++ csize = len > 0 ? len - 1 : 0; + len -= csize; +- if (str) +- str += csize; ++ str += csize; + + of_property_for_each_string(dev->of_node, "compatible", p, compat) { + csize = strlen(compat) + 1; + tsize += csize; +- if (csize > len) ++ if (csize >= len) + continue; + + csize = snprintf(str, len, "C%s", compat); diff --git a/queue-5.15/series b/queue-5.15/series index c3d3b2bf3b..29afa73239 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -40,3 +40,4 @@ net-hns3-fix-an-interrupt-residual-problem.patch net-hns3-fixed-debugfs-tm_qset-size.patch net-hns3-defer-calling-ptp_clock_register.patch pci-imx6-skip-controller_id-generation-logic-for-i.mx7d.patch +of-module-add-buffer-overflow-check-in-of_modalias.patch