summaryrefslogtreecommitdiff
path: root/drivers/of
diff options
context:
space:
mode:
authorSergey Shtylyov <s.shtylyov@omp.ru>2024-03-27 19:52:49 +0300
committerRob Herring <robh@kernel.org>2024-03-27 17:05:07 -0500
commita1aa5390cc912934fee76ce80af5f940452fa987 (patch)
tree6b7c0b89a30267467d890822958087927706b989 /drivers/of
parentb5237d0bdb3cb164b7792cc4f1ff2ecafbfac661 (diff)
downloadlwn-a1aa5390cc912934fee76ce80af5f940452fa987.tar.gz
lwn-a1aa5390cc912934fee76ce80af5f940452fa987.zip
of: module: prevent NULL pointer dereference in vsnprintf()
In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@omp.ru Signed-off-by: Rob Herring <robh@kernel.org>
Diffstat (limited to 'drivers/of')
-rw-r--r--drivers/of/module.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/of/module.c b/drivers/of/module.c
index 0e8aa974f0f2..f58e624953a2 100644
--- a/drivers/of/module.c
+++ b/drivers/of/module.c
@@ -16,6 +16,14 @@ ssize_t of_modalias(const struct device_node *np, char *str, ssize_t len)
ssize_t csize;
ssize_t tsize;
+ /*
+ * Prevent a kernel oops in vsnprintf() -- it only allows passing a
+ * NULL ptr when the length is also 0. Also filter out the negative
+ * lengths...
+ */
+ if ((len > 0 && !str) || len < 0)
+ return -EINVAL;
+
/* Name & Type */
/* %p eats all alphanum characters, so %c must be used here */
csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T',