| Message ID | 20250530094737.127830-1-dmantipov@yandex.ru |
|---|---|
| State | New |
| Headers | show |
| Series | ACPICA: avoid out-of-bounds read in acpi_ut_safe_strncpy() | expand |
diff --git a/drivers/acpi/acpica/utnonansi.c b/drivers/acpi/acpica/utnonansi.c index 803e3e893825..1447d8689209 100644 --- a/drivers/acpi/acpica/utnonansi.c +++ b/drivers/acpi/acpica/utnonansi.c @@ -166,10 +166,7 @@ acpi_ut_safe_strncat(char *dest, void acpi_ut_safe_strncpy(char *dest, char *source, acpi_size dest_size) { - /* Always terminate destination string */ - - memcpy(dest, source, dest_size); - dest[dest_size - 1] = 0; + strscpy(dest, source, dest_size); } #endif
Running KASAN-enabled kernel with ACPI_DEBUG_OUTPUT, I've noticed the following: BUG: KASAN: global-out-of-bounds in acpi_ut_safe_strncpy+0x25/0x70 Read of size 16 at addr ffffffff8bf2bee0 by task swapper/0/1 CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-08486-gf66bc387efbe #17 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 ... kasan_check_range+0x2b0/0x2c0 __asan_memcpy+0x29/0x70 acpi_ut_safe_strncpy+0x25/0x70 acpi_ps_alloc_op+0x201/0x3a0 ... The buggy address belongs to the variable: .str.8+0x0/0x20 This happens when 'acpi_ut_safe_strncpy()' makes an attempt to copy to the destination which is larger than source, and may be fixed by using 'strscpy()' (which also guarantees NUL termination for a destination). Fixes: ebf27765421c ("ACPICA: Replace strncpy() with memcpy()") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- drivers/acpi/acpica/utnonansi.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)