From: Daniel Thompson <daniel.thompson@xxxxxxxxxx> commit c9b51ddb66b1d96e4d364c088da0f1dfb004c574 upstream. Currently when the current line should be removed from the display kdb_read() uses memset() to fill a temporary buffer with spaces. The problem is not that this could be trivially implemented using a format string rather than open coding it. The real problem is that it is possible, on systems with a long kdb_prompt_str, to write past the end of the tmpbuffer. Happily, as mentioned above, this can be trivially implemented using a format string. Make it so! Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Douglas Anderson <dianders@xxxxxxxxxxxx> Tested-by: Justin Stitt <justinstitt@xxxxxxxxxx> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-5-f236dbe9828d@xxxxxxxxxx Signed-off-by: Daniel Thompson <daniel.thompson@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/debug/kdb/kdb_io.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -315,11 +315,9 @@ poll_again: break; case 14: /* Down */ case 16: /* Up */ - memset(tmpbuffer, ' ', - strlen(kdb_prompt_str) + (lastchar-buffer)); - *(tmpbuffer+strlen(kdb_prompt_str) + - (lastchar-buffer)) = '\0'; - kdb_printf("\r%s\r", tmpbuffer); + kdb_printf("\r%*c\r", + (int)(strlen(kdb_prompt_str) + (lastchar - buffer)), + ' '); *lastchar = (char)key; *(lastchar+1) = '\0'; return lastchar; Patches currently in stable-queue which might be from daniel.thompson@xxxxxxxxxx are queue-4.19/kdb-fix-console-handling-when-editing-and-tab-completing-commands.patch queue-4.19/kdb-use-format-specifiers-rather-than-memset-for-padding-in-kdb_read.patch queue-4.19/kdb-fix-buffer-overflow-during-tab-complete.patch queue-4.19/kdb-use-format-strings-rather-than-0-injection-in-kdb_read.patch queue-4.19/kdb-merge-identical-case-statements-in-kdb_read.patch