From: Greg KH <gregkh@linuxfoundation.org>
To: tuhaowen <tuhaowen@uniontech.com>
Cc: alexander.deucher@amd.com, huangbibo@uniontech.com,
linux-kernel@vger.kernel.org, sudipm.mukherjee@gmail.com,
wangyuli@uniontech.com
Subject: Re: Re: [PATCH] dev/parport: fix the array out-of-bounds risk
Date: Fri, 5 Jul 2024 08:45:45 +0200 [thread overview]
Message-ID: <2024070503-concert-mummify-dcbf@gregkh> (raw)
In-Reply-To: <20240705063658.8782-1-tuhaowen@uniontech.com>
On Fri, Jul 05, 2024 at 02:36:58PM +0800, tuhaowen wrote:
> On Thu, Jul 04, 2024 at 06:07:47PM +0800, Greg Kroah-Hartman wrote:
>
> > Usually because no one actually has this hardware anymore :)
> >
> > Can you also properly test the buffer size when writing into it so that
> > even if the math is incorrect, it will not overflow?
>
>
> As of now, I have encountered these three devices: BUNET BU1L02,
> EB-LINK EB-2C1B01, and SYBA FG-EMT03A-N. When these PCIe to parallel
> port cards are installed, the system experiences abnormal reboots.
> I am not sure if there are other devices with these issues.
>
> Below is the stack trace I encountered during the actual issue:
>
> [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:
> Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]
> [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:
> QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2
> [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp
> [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun
> PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024
> [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:
> [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0
> [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20
> [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c
> [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc
> [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38
> [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]
>
>
> The array buffer size is 20 bytes.
> When executing code in a 64-bit CPU environment,
> up to 44 bytes of data will be written into this array
> (the size of "%lu\t%lu\n" is 21 + 1 + 21 + 1).
>
> This modification will resolve the current issue without introducing new problems.
I'm not disputing that this change looks correct, I'm asking that you
redo it and properly check the array size when writing to it so as to
ensure that it really is correct in case our math is incorrect
somewhere.
thanks,
greg k-h
next prev parent reply other threads:[~2024-07-05 6:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-26 2:11 [PATCH] dev/parport: fix the array out-of-bounds risk tuhaowen
2024-07-04 10:07 ` Greg KH
2024-07-05 6:36 ` tuhaowen
2024-07-05 6:45 ` Greg KH [this message]
2024-07-05 8:58 ` tuhaowen
2024-07-05 9:42 ` Greg KH
2024-07-08 2:33 ` tuhaowen
2024-07-08 7:18 ` Greg KH
2024-07-08 8:04 ` [PATCH v2] " tuhaowen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024070503-concert-mummify-dcbf@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=alexander.deucher@amd.com \
--cc=huangbibo@uniontech.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sudipm.mukherjee@gmail.com \
--cc=tuhaowen@uniontech.com \
--cc=wangyuli@uniontech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox