From: disconnect3d <dominik.b.czarnota@xxxxxxxxx>
This patch fixes an off-by-one error in strncpy size argument in
drivers/video/fbdev/nvidia/nvidia.c. The issue is that in:
strncmp(this_opt, "noaccel", 6)
the passed string literal: "noaccel" has 7 bytes (without the NULL byte)
and the passed size argument is 6. As a result, the logic will also
match/accept string "noacce" or "noacceX".
This bug doesn't seem to have any security impact since its present in
the driver's setup and just accepts slighty changed string to enable the
`noaccel` flag.
Signed-off-by: disconnect3d <dominik.b.czarnota@xxxxxxxxx>
---
Notes:
The bug could also be fixed by changing the size argument to
`sizeof("string literal")-1` but I am not proposing this change as that
would have to be changed in other places.
There are also more cases like this in kernel sources which I
reported/will report soon.
This bug has been found by running a massive grep-like search using
Google's BigQuery on GitHub repositories data. I am also going to work
on a CodeQL/Semmle query to be able to find more sophisticated cases
like this that can't be found via grepping.
drivers/video/fbdev/nvidia/nvidia.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
index c583c018304d..b77efeb33477 100644
--- a/drivers/video/fbdev/nvidia/nvidia.c
+++ b/drivers/video/fbdev/nvidia/nvidia.c
@@ -1470,7 +1470,7 @@ static int nvidiafb_setup(char *options)
flatpanel = 1;
} else if (!strncmp(this_opt, "hwcur", 5)) {
hwcur = 1;
- } else if (!strncmp(this_opt, "noaccel", 6)) {
+ } else if (!strncmp(this_opt, "noaccel", 7)) {
noaccel = 1;
} else if (!strncmp(this_opt, "noscale", 7)) {
noscale = 1;
--
2.25.1
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
