From: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
To: Dev Doshi <devdoshi@hotmail.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] misc: altera-stapl: fix format string vulnerability in OP_PRNT handler
Date: Fri, 27 Feb 2026 15:54:54 -0500 [thread overview]
Message-ID: <2026022714-object-magnesium-3da9@gregkh> (raw)
In-Reply-To: <AS8PR02MB68053B3033EEA39ED245EA18C173A@AS8PR02MB6805.eurprd02.prod.outlook.com>
On Fri, Feb 27, 2026 at 02:30:46PM +0000, Dev Doshi wrote:
> The OP_PRNT opcode handler in the STAPL bytecode interpreter passes
> msg_buff directly as the format string argument to printk():
>
> printk(msg_buff, "\n");
>
> msg_buff is constructed from STAPL bytecode execution through the
> OP_PINT, OP_PCHR, and OP_PSTR opcodes, which append integers,
> characters, and strings from the bytecode's string table. If the
> STAPL/JAM file contains format specifiers (e.g. %p, %x, %n) in its
> string data, these will be interpreted by printk(), potentially
> leaking kernel stack memory or causing undefined behavior.
>
> The second argument "\n" was clearly intended to append a newline
> after the message, not to serve as a format argument. The programmer
> intended the equivalent of printf("%s\n", msg_buff).
>
> Fix by using a proper format string with pr_info().
>
> Assisted-by: GitHub Copilot (Claude claude-4-opus)
> Signed-off-by: Dev Doshi <devdoshi@hotmail.com>
>
> ---
> drivers/misc/altera-stapl/altera.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/altera-stapl/altera.c b/drivers/misc/altera-stapl/altera.c
> index 4fa6c9062..b9a5a3ea7 100644
> --- a/drivers/misc/altera-stapl/altera.c
> +++ b/drivers/misc/altera-stapl/altera.c
> @@ -700,7 +700,7 @@ static int altera_execute(struct altera_state *astate,
> case OP_PRNT:
> /* PRINT finish */
> if (debug)
> - printk(msg_buff, "\n");
> + pr_info("%s\n", msg_buff);
Close, but not quite :)
pr_info() has a different output format than printk() does. Or it can,
depending on the calling file. Do you have this hardware to test that
this really looks the same? And this data is coming from hardware, not
userspace, right?
I think that should be written as:
case OP_PRNG:
/* PRINT finish */
dprintk("%s\n", msg_buff);
making it one less line overall, and "fixing" the potential issue at the
same time, a win for everyone :)
This whole file is really crazy, and given the amount of noise is is
printing out to the kernel log, I can't imagine anyone is actually using
it in this manner as it's just a lot of fpga junk.
thanks,
greg k-h
parent reply other threads:[~2026-02-27 20:55 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <AS8PR02MB68053B3033EEA39ED245EA18C173A@AS8PR02MB6805.eurprd02.prod.outlook.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026022714-object-magnesium-3da9@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=devdoshi@hotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox