Bug#1103277: linux: CVE-2024-38541 for 6.1 branch

Tue, 15 Apr 2025 15:42:15 -0700 

Source: linux
Version: 6.1.133-1
Severity: normal
X-Debbugs-Cc: henr...@debian.org

Dear Maintainers,

 I've investigated CVE-2024-38541 since I'm running Debian 12 instances
 on AWS and Amazon Inspector alerts it is critical vuln.

 It seems that it is easily applied to 6.1 branch with some modification
 as attached patch. I've already sent it to original author and reviewer
 but not get any reply, so I'm maybe wrong...

 Anyway, could you check it, please?


 Thank you.

>From 58c18ebe72c2ff8bce5fbbc8d0a55dde1f264ac4 Mon Sep 17 00:00:00 2001
From: Hideki Yamane <h-yam...@sios.com>
Date: Fri, 28 Mar 2025 17:24:08 +0900
Subject: [PATCH] of: device: add buffer overflow check in
 of_device_get_modalias() (CVE-2024-38541)

[ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ]

> In of_modalias(), if the buffer happens to be too small even for the 1st
> snprintf() call, the len parameter will become negative and str parameter
> (if not NULL initially) will point beyond the buffer's end. Add the buffer
> overflow check after the 1st snprintf() call and fix such check after the
> strlen() call (accounting for the terminating NUL char).
>
> Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse 
> compatible strings")
> Signed-off-by: Sergey Shtylyov <s.shtyl...@omp.ru>
> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f3...@omp.ru
> Signed-off-by: Rob Herring <r...@kernel.org>

drivers/of/module.c was splited from drivers/of/device.c, so same fix can
be applied to device.c.
---
 drivers/of/device.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/of/device.c b/drivers/of/device.c
index ce225d2590b5..91d92bfe5735 100644
--- a/drivers/of/device.c
+++ b/drivers/of/device.c
@@ -264,14 +264,15 @@ static ssize_t of_device_get_modalias(struct device *dev, 
char *str, ssize_t len
        csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T',
                         of_node_get_device_type(dev->of_node));
        tsize = csize;
+       if (csize >= len)
+               csize = len > 0 ? len - 1 : 0;
        len -= csize;
-       if (str)
-               str += csize;
+       str += csize;
 
        of_property_for_each_string(dev->of_node, "compatible", p, compat) {
                csize = strlen(compat) + 1;
                tsize += csize;
-               if (csize > len)
+               if (csize >= len)
                        continue;
 
                csize = snprintf(str, len, "C%s", compat);
-- 
2.47.2

Reply via email to