From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Andrey Shumilin <shum.sdl@nppct.ru>, Helge Deller <deller@gmx.de>,
Sasha Levin <sashal@kernel.org>,
tzimmermann@suse.de, javierm@redhat.com, fullwaywang@outlook.com,
linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 26/26] fbdev: sisfb: Fix strbuf array overflow
Date: Fri, 4 Oct 2024 14:29:52 -0400 [thread overview]
Message-ID: <20241004183005.3675332-26-sashal@kernel.org> (raw)
In-Reply-To: <20241004183005.3675332-1-sashal@kernel.org>
From: Andrey Shumilin <shum.sdl@nppct.ru>
[ Upstream commit 9cf14f5a2746c19455ce9cb44341b5527b5e19c3 ]
The values of the variables xres and yres are placed in strbuf.
These variables are obtained from strbuf1.
The strbuf1 array contains digit characters
and a space if the array contains non-digit characters.
Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres);
more than 16 bytes will be written to strbuf.
It is suggested to increase the size of the strbuf array to 24.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/sis/sis_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c
index e540cb0c51726..7787fd21932cb 100644
--- a/drivers/video/fbdev/sis/sis_main.c
+++ b/drivers/video/fbdev/sis/sis_main.c
@@ -183,7 +183,7 @@ static void sisfb_search_mode(char *name, bool quiet)
{
unsigned int j = 0, xres = 0, yres = 0, depth = 0, rate = 0;
int i = 0;
- char strbuf[16], strbuf1[20];
+ char strbuf[24], strbuf1[20];
char *nameptr = name;
/* We don't know the hardware specs yet and there is no ivideo */
--
2.43.0
prev parent reply other threads:[~2024-10-04 18:30 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-04 18:29 [PATCH AUTOSEL 5.10 01/26] bpf: Check percpu map value size first Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 02/26] s390/boot: Compile all files with the same march flag Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 03/26] s390/facility: Disable compile time optimization for decompressor code Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 04/26] s390/mm: Add cond_resched() to cmm_alloc/free_pages() Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 05/26] ext4: fix i_data_sem unlock order in ext4_ind_migrate() Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 06/26] ext4: avoid use-after-free in ext4_ext_show_leaf() Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 07/26] ext4: ext4_search_dir should return a proper error Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 08/26] ext4: nested locking for xattr inode Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 09/26] s390/cpum_sf: Remove WARN_ON_ONCE statements Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 10/26] ktest.pl: Avoid false positives with grub2 skip regex Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 11/26] RDMA/mad: Improve handling of timed out WRs of mad agent Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 12/26] PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 13/26] clk: bcm: bcm53573: fix OF node leak in init Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 14/26] PCI: Add ACS quirk for Qualcomm SA8775P Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 15/26] i2c: i801: Use a different adapter-name for IDF adapters Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 16/26] PCI: Mark Creative Labs EMU20k2 INTx masking as broken Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 17/26] ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 18/26] media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 19/26] clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 20/26] usb: chipidea: udc: enable suspend interrupt after usb reset Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 21/26] usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 22/26] virtio_pmem: Check device status before requesting flush Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 23/26] tools/iio: Add memory allocation failure check for trigger_name Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 24/26] driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Sasha Levin
2024-10-04 18:29 ` [PATCH AUTOSEL 5.10 25/26] drm/amd/display: Check null pointer before dereferencing se Sasha Levin
2024-10-04 18:29 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241004183005.3675332-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=fullwaywang@outlook.com \
--cc=javierm@redhat.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shum.sdl@nppct.ru \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox