From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5D0B1F2380 for ; Tue, 14 Apr 2026 13:08:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776172113; cv=none; b=F2GvsM7bdjP2BfRiFtqNT8tyNRbQixHQRKoKaUwe8HV9veD+knTEGuUlZf22KNRGLoukrblQrsjqvB6+yvOIY5uPxUAMELYeEp7IV2tvLa4q/IEpLOb1OQG0Z5cMPnMdg32Mj8bTGPFhiXIUQlNGfn/aF8Mww8UGexun81hQyx0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776172113; c=relaxed/simple; bh=hO2RWwnmXSLP7AvHTvTYArqbSWHCybqJzlQbS/Dqb14=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LPPZEpX5uBceZl+bpjl0B6ozNNoO/ni58ja760pQHkYeKEbTwfDY8Y6oY1QHKbejDa0krzfydFeGUJsxr/zvW5ixAzaX5/RZVte5g74+aQE8hBXDU7XBdZ4YYGFA+Uu+SgvVAOreE16rdgWnPhOEYP7tfmbQpEGRs9x99M2FBk0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Is8QA8Wn; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Is8QA8Wn" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488ba840146so54498335e9.1 for ; Tue, 14 Apr 2026 06:08:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776172109; x=1776776909; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MaVP+9uKUqZ5/dkwLyp6Cz4DvPDskt2rXwmjQ83cbfU=; b=Is8QA8WnULkvxXJ3Q3ueOpSXy7B+aw13laK9osvzzf4W4/iXCMtFjv9eUjaSgDkSyM B1cfqK8TXyAhPCRio00WnuOjjNsE0SRSFXPHPUO+94OCyeoNB5qGogHVrK08vGzfjgEK 4T5nn+oYw1jF8StNa3pJGpTzWkHQR04wt1HfINuFvln+57NPyok6Xlbsr02ZDx9r7laQ sGYe0yzlhcUJ6BM+zDQe4GfVe/gOuAPdaxDiMH0IBtwmafStuJwixZVEfhDN7EaXW0xD 8cjWtqt6F2L4GCZqiUMwL5ibtXtkLHVYSm6Ow/UTXyTzlMba4Cne/FuT/YmvY6liMgYx 3suA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776172109; x=1776776909; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MaVP+9uKUqZ5/dkwLyp6Cz4DvPDskt2rXwmjQ83cbfU=; b=rj5tGyhpNilmSOzfkgXgc1w95YOrjhJ8RLr+8Sjwb+L7L9Ir7TBOVloNSv/YxAojDE AEB8f3YyW0rfGkQzeaOU15mnEq4UPi9eRSgzkRu9h0JqahyJoidn2p3iWoHYtBG3Z/yP NZJSACMEKg4pRzCGSYFhHCJr2+vnM5fXx5DjE82fdBcksTDSG23+jXt84m9n5OzRKYiu ZDzRpfcmB7aIiTc8fmzs4R5F1umQZfO5CZVx3bZXhGL2HD76T6ESZ0/89bYKOMgP91e+ Rtx2R22i0oGYKXsN8dHRmYJ7KJLTnBmQ7qJY5ETsA4Dxk3U5QrI6QajypJKb4wxfkCZY R9OQ== X-Gm-Message-State: AOJu0YzlH0YtbOY0Q5PmiZkG8EhfRRRGjFPJwn2wY799Zvb2wZ0kKu38 yAU30cra/xZlIMfomvkjmgLSLGwg5pXl+1Njvzg6sVaspw8A7Qhmm0aa X-Gm-Gg: AeBDieua65kOdS2nXY5dkRSUK2SXLmgY+4QQLpRu6kDxrWExGGIuhJTct9GMbV9bReC KuTwSrRG5gGDwZrYLtlgSUfysIVycapzmuQBXLJzVoJSHloKE2EbbmAn/Brbz1ATNfFoW2eEPE8 scLft5XHP/+VB5xZYxC/+4Wy1+/iUvWfhX57xCQn47S6yszPCyL3t4zpeiKJOHCMp5m+1tzszb0 ijGP1ATzTl/OUwkIDkg6FnCdMEHZX553YDKdPybZQPs9aELkNuZu2sNiigSTQA0YUIewgNmZ2IZ m7F+pTAVybNhEC3zII0C/WL74oyWldUDsiu6s6jQlweSLii3Z76Rp433Do+kM9Yzye0AnR0kWmP p+a88DAnDUTGr+pd9CzkF+fkHuUKcV2bokQhIeSVH8cQgAf7dFQ7vIhS/9HKoW8RcEn4tElhqLn oq+QLcQAllv/nSd8uyv27nVTz6V8wBO5CemNgtPAhOPPRPnjmCsaefyPYOz3C36dkAGg8x34pIk QySd51yVvE5p3asr6Qss2AJm4A= X-Received: by 2002:a05:600c:3ba8:b0:488:af7f:7707 with SMTP id 5b1f17b1804b1-488d6836621mr239032475e9.18.1776172108681; Tue, 14 Apr 2026 06:08:28 -0700 (PDT) Received: from neo.fritz.box (p200300f6f73348005c400b7f4be4b8b7.dip0.t-ipconnect.de. [2003:f6:f733:4800:5c40:b7f:4be4:b8b7]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488ede156a1sm52801605e9.2.2026.04.14.06.08.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 06:08:28 -0700 (PDT) From: Johannes Thumshirn To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, Filip Jensen , Jose Javier Rodriguez Barbarin , Johannes Thumshirn Subject: [PATCH 1/1] mcb: fix kasan read slab out of bounds Date: Tue, 14 Apr 2026 15:08:21 +0200 Message-ID: <20260414130821.134131-2-morbidrsa@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260414130821.134131-1-morbidrsa@gmail.com> References: <20260414130821.134131-1-morbidrsa@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Filip Jensen Fixes the following kasan bug report reproducible when probing the driver: slab-out-of-bounds in string_nocheck lib/vsprintf.c:655 slab-out-of-bounds in string+0x396/0x440 lib/vsprintf.c:737 Read of size 1 at addr ffff88810dd32f94 by task modprobe/661 It is caused for passing snprintf a not null terminated string as a parameter but in the format string expecting one ("%s"), thus making it read pass the valid data. Another solution could be giving a length to the snprintf parameter: snprintf(bus->name,CHAMELEON_FILENAME_LEN + 1,"%.*s",CHAMELEON_FILENAME_LEN,header->filename); However, this solution seems less readable and since there is no need to format the input, apart from converting it into a right C string, a simple memcpy is here proposed. Reviewed-by: Jose Javier Rodriguez Barbarin Signed-off-by: Filip Jensen Signed-off-by: Johannes Thumshirn --- drivers/mcb/mcb-parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c index 7e09a0ea80f8..2b115cb0e5d9 100644 --- a/drivers/mcb/mcb-parse.c +++ b/drivers/mcb/mcb-parse.c @@ -200,8 +200,8 @@ int chameleon_parse_cells(struct mcb_bus *bus, phys_addr_t mapbase, bus->revision = header->revision; bus->model = header->model; bus->minor = header->minor; - snprintf(bus->name, CHAMELEON_FILENAME_LEN + 1, "%s", - header->filename); + memcpy(bus->name, header->filename, CHAMELEON_FILENAME_LEN); + bus->name[CHAMELEON_FILENAME_LEN] = '\0'; bar_count = chameleon_get_bar(&p, mapbase, &cb); if (bar_count < 0) { -- 2.53.0