From: Marek Behún <marek.behun@nic.cz>
Date: Sat, 15 Feb 2020 14:21:30 +0000 (+0100)
Subject: bus: moxtet: fix potential stack buffer overflow
X-Git-Tag: v5.5.5~36
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=9fd8d4b53e92f1fb5137d6ab2274dcb219a56523;p=users%2Fdwmw2%2Flinux.git

bus: moxtet: fix potential stack buffer overflow

commit 3bf3c9744694803bd2d6f0ee70a6369b980530fd upstream.

The input_read function declares the size of the hex array relative to
sizeof(buf), but buf is a pointer argument of the function. The hex
array is meant to contain hexadecimal representation of the bin array.

Link: https://lore.kernel.org/r/20200215142130.22743-1-marek.behun@nic.cz
Fixes: 5bc7f990cd98 ("bus: Add support for Moxtet bus")
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c
index 36cf13eee6b8b..68413bf9cf879 100644
--- a/drivers/bus/moxtet.c
+++ b/drivers/bus/moxtet.c
@@ -466,7 +466,7 @@ static ssize_t input_read(struct file *file, char __user *buf, size_t len,
 {
 	struct moxtet *moxtet = file->private_data;
 	u8 bin[TURRIS_MOX_MAX_MODULES];
-	u8 hex[sizeof(buf) * 2 + 1];
+	u8 hex[sizeof(bin) * 2 + 1];
 	int ret, n;
 
 	ret = moxtet_spi_read(moxtet, bin);