Patch "EDAC/thunderx: Fix possible out-of-bounds string access" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    EDAC/thunderx: Fix possible out-of-bounds string access

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     edac-thunderx-fix-possible-out-of-bounds-string-acce.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a697ee25680f113b7b1e5a6d6432a4c697942d04
Author: Arnd Bergmann <arnd@xxxxxxxx>
Date:   Wed Nov 22 23:19:53 2023 +0100

    EDAC/thunderx: Fix possible out-of-bounds string access
    
    [ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ]
    
    Enabling -Wstringop-overflow globally exposes a warning for a common bug
    in the usage of strncat():
    
      drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
      drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
       1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
            |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       ...
       1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
       ...
       1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
    
       ...
    
    Apparently the author of this driver expected strncat() to behave the
    way that strlcat() does, which uses the size of the destination buffer
    as its third argument rather than the length of the source buffer. The
    result is that there is no check on the size of the allocated buffer.
    
    Change it to strlcat().
    
      [ bp: Trim compiler output, fixup commit message. ]
    
    Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
    Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
    Signed-off-by: Borislav Petkov (AMD) <bp@xxxxxxxxx>
    Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
index b9c5772da959..90d46e5c4ff0 100644
--- a/drivers/edac/thunderx_edac.c
+++ b/drivers/edac/thunderx_edac.c
@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
 		decode_register(other, OCX_OTHER_SIZE,
 				ocx_com_errors, ctx->reg_com_int);
 
-		strncat(msg, other, OCX_MESSAGE_SIZE);
+		strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 		for (lane = 0; lane < OCX_RX_LANES; lane++)
 			if (ctx->reg_com_int & BIT(lane)) {
@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
 					 lane, ctx->reg_lane_int[lane],
 					 lane, ctx->reg_lane_stat11[lane]);
 
-				strncat(msg, other, OCX_MESSAGE_SIZE);
+				strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 				decode_register(other, OCX_OTHER_SIZE,
 						ocx_lane_errors,
 						ctx->reg_lane_int[lane]);
-				strncat(msg, other, OCX_MESSAGE_SIZE);
+				strlcat(msg, other, OCX_MESSAGE_SIZE);
 			}
 
 		if (ctx->reg_com_int & OCX_COM_INT_CE)
@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
 		decode_register(other, OCX_OTHER_SIZE,
 				ocx_com_link_errors, ctx->reg_com_link_int);
 
-		strncat(msg, other, OCX_MESSAGE_SIZE);
+		strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 		if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
 			edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
 
 		decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
 
-		strncat(msg, other, L2C_MESSAGE_SIZE);
+		strlcat(msg, other, L2C_MESSAGE_SIZE);
 
 		if (ctx->reg_int & mask_ue)
 			edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux