Fix sprintf usage that may lead to buffer overflow
Bug #1959119 reported by
Jitendra Lanka
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Jitendra Lanka |
Bug Description
SRU Justification:
[Impact]
Fix references to sprintf that have a possibility for buffer overflow
[Fix]
Replace sprintf with snprintf containing a defined boundary of PAGE_SIZE for sysfs store/show functions and max array size defined otherwise.
[Test Case]
Existing testcases should work as is as no functional change has been introduced by this patch.
[Regression Potential]
Regression potential can be considered minimal since the patch does not change any function of the driver other than limiting the upper bound of sprintf where the usual lengths parsed are < PAGE_SIZE and requests > PAGE_SIZE are limited.
CVE References
Changed in linux-bluefield (Ubuntu Focal): | |
assignee: | nobody → Jitendra Lanka (jlankanvidia) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
This bug was fixed in the package linux-bluefield - 5.4.0-1028.31
---------------
linux-bluefield (5.4.0-1028.31) focal; urgency=medium
* focal/linux- bluefield: 5.4.0-1028.31 -proposed tracker (LP: #1959252)
* Support CIFS for CUDA (LP: #1958299)
- [Config] bluefield: CONFIG_CIFS=m
- [Config] bluefield: Additional config options for CIFS
* Fix ct_state nat matching and nat action not being executed (LP: #1957807)
- net: zero-initialize tc skb extension on allocation
- net/sched: Extend qdisc control block with tc control block
- net/sched: flow_dissector: Fix matching on zone id for invalid conns
- net: openvswitch: Fix matching zone id for invalid conns arriving from tc
- net: openvswitch: Fix ct_state nat flags for conns arriving from tc
* Fix sprintf usage that may lead to buffer overflow (LP: #1959119)
- SAUCE: Fix references to sprintf that may cause buffer overflow
[ Ubuntu: 5.4.0-100.113 ]
* focal/linux: 5.4.0-100.113 -proposed tracker (LP: #1959900) locked_ inode function type pciefd_ rx_error_ frame() : increase correct >{rx,tx} _errors counter add_card( ) dump_ses_ done counter an atomic area_cache_ add()
* CVE-2022-22942
- SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy
* CVE-2022-0330
- drm/i915: Flush TLBs before releasing backing store
* Focal update: v5.4.166 upstream stable release (LP: #1957008)
- netfilter: selftest: conntrack_vrf.sh: fix file permission
- Linux 5.4.166
- net/packet: rx_owner_map depends on pg_vec
- USB: gadget: bRequestType is a bitfield, not a enum
- HID: holtek: fix mouse probing
- udp: using datalen to cap ipv6 udp max gso segments
- selftests: Calculate udpgso segment count without header adjustment
* Focal update: v5.4.165 upstream stable release (LP: #1957007)
- serial: tegra: Change lower tolerance baud rate limit for tegra20 and
tegra30
- ntfs: fix ntfs_test_inode and ntfs_init_
- HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
- HID: google: add eel USB id
- HID: add hid_is_usb() function to make it simpler for USB detection
- HID: add USB_HID dependancy to hid-prodikeys
- HID: add USB_HID dependancy to hid-chicony
- HID: add USB_HID dependancy on some USB HID drivers
- HID: bigbenff: prevent null pointer dereference
- HID: wacom: fix problems when device is not a valid USB device
- HID: check for valid USB device for many HID drivers
- can: kvaser_usb: get CAN clock frequency from device
- can: kvaser_pciefd: kvaser_
stats-
- can: sja1000: fix use after free in ems_pcmcia_
- nfc: fix potential NULL pointer deref in nfc_genl_
- selftests: netfilter: add a vrf+conntrack testcase
- vrf: don't run conntrack on vrf with !dflt qdisc
- bpf: Fix the off-by-two error in range markings
- ice: ignore dropped packets during init
- bonding: make tx_rebalance_
- nfp: Fix memory leak in nfp_cpp_
- seg6: fix the iif in the IPv6 socket control block
- udp: using datalen to cap max gso segments
- iavf: restore MSI state on reset
- iavf: Fix reporting when setting descriptor count
- IB/hfi1: ...