From 1b80706cb0b93f31431ab2c42c70fa32eadf189f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 25 Jun 2024 03:32:46 +0000 Subject: [PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug mainline inclusion from mainline-v6.10-rc commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SI7 CVE: CVE-2024-38587 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b ---------------------------------------------------------------------- The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. Fixes: c3b12fcb1791 ("speakup: Avoid crash on very long word") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Reviewed-by: Samuel Thibault Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain Signed-off-by: Greg Kroah-Hartman Conflicts: drivers/staging/speakup/main.c [file was copy from drivers/staging/speakup/main.c to drivers/accessibility/speakup/main.c] Signed-off-by: Chen Ridong --- drivers/staging/speakup/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/speakup/main.c b/drivers/staging/speakup/main.c index 8dd47a995fd9..548a5e1cbe1f 100644 --- a/drivers/staging/speakup/main.c +++ b/drivers/staging/speakup/main.c @@ -577,7 +577,7 @@ static u_long get_word(struct vc_data *vc) } attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); buf[cnt++] = attr_ch; - while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { + while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) { tmp_pos += 2; tmpx++; ch = get_char(vc, (u_short *)tmp_pos, &temp); -- Gitee