fix: remove unsafe exec() in lockdown.c#1712
Open
orbisai0security wants to merge 38 commits into
Open
Conversation
Recording immediately after playing music will result in the latter part of the recording have no sound. the reason as follows: Playback and recording share the same clock. After playback stops, the audio framework will shutdown clock after 5-second. if recording within this 5-second period, the recording clock will be turned off. Therefore, the CONTROL1 register should be modified so that playback and recording use different clocks. Signed-off-by: Cheng Yulai <chengyulai1490@phytium.com.cn> Signed-off-by: Zhou Zheng <zhouzheng2069@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
This driver is exclusively for the PHYTIUM platform and is not compatible with other SoCs. This restriction avoids compiling this driver on other platforms. Signed-off-by: Cheng Yulai <chengyulai1490@phytium.com.cn> Signed-off-by: Zhou Zheng <zhouzheng2069@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Add a controller status code for no initialzation error. Signed-off-by: Cheng Yulai <chengyulai1490@phytium.com.cn> Signed-off-by: Zhou Zheng <zhouzheng2069@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Initialize channels and share memory before sending command to prevent unknown errors. Signed-off-by: Cheng Yulai <chengyulai1490@phytium.com.cn> Signed-off-by: Zhou Zheng <zhouzheng2069@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
When executing the probe interface, the driver shound return actual error code instead of zero to avoid creating sound card successfully when hardware is not present. Signed-off-by: Dai Jingtao <daijingtao1503@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Add audio control node to disable/enable I2S and DMA function. The node is used for dp-i2s to control audio whether it should stop or continue. Such as changing resolution when playing. Signed-off-by: Li Bing <libing1969@phytium.com.cn> Signed-off-by: Dai Jingtao <daijingtao1503@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
This driver is exclusively for the PHYTIUM platform and is not compatible with other SoCs. This restriction prevents errors on unsupported platform. Signed-off-by: Li Bing <libing1969@phytium.com.cn> Signed-off-by: Dai Jingtao <daijingtao1503@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
The problem is that when the hardware card is not inserted, it causes sound card loading to fail due to undefined behavior from headphone detection. This detection is in the I2S driver's probe function, but I2S cannot detect whether a daughter card actually exists. Therefore, the codec's probe should execute first and return directly if not daughter card is found. Signed-off-by: Li Bing <libing1969@phytium.com.cn> Signed-off-by: Dai Jingtao <daijingtao1503@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
This patch provides three methods for reading cpu type for Phytium Socs, with priority from high to low as follows: - read socid by arm-smccc - read system register of SYS_AIDR_EL1 - read system register of MPIDR_EL1 Signed-off-by: Zhang Fuxiang <zhangfuxiang2144@phytium.com.cn> Signed-off-by: Feng Jun <fengjun@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
This patch adjusts the machanism of obtaining the CPU type for Phytium Socs. It can directly return current CPU type when external interface calls the function. Signed-off-by: Zhang Fuxiang <zhangfuxiang2144@phytium.com.cn> Signed-off-by: Feng Jun <fengjun@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Modify the definition of PE220x CPU name from PHYTIUM_CPU_PART_FTC303 to PHYTIUM_CPU_PART_FTC310 to support initialization and features for the FTC310 processor. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
zhaoxin inclusion category: feature -------------------- This patch extends temperature monitoring support to include the new Zhaoxin KX-8000 FMS CPU family by: 1. Adding model 0x8b to the MSR register mapping condition, so it uses the same temperature critical and maximum MSR addresses (0x175b and 0x175a) as the existing 0x6b and 0x7b models. 2. Registering both CENTAUR and ZHAOXIN vendor variants of the 0x8b model in the CPU ID matching table to enable driver probe on these systems. Signed-off-by: leoliu-oc <leoliu-oc@zhaoxin.com>
Let ghes_edac be the preferred driver to load on __ZX__ and _BYO_ systems by extending the platform detection list in ghes.c Signed-off-by: Tony W Wang-oc <TonyWWang-oc@zhaoxin.com> Tested-by: Lyle Li <LyleLi@zhaoxin.com> Acked-by: Borislav Petkov (AMD) <bp@alien8.de> [ rjw: Subject and changelog edits ] Link: https://patch.msgid.link/20260128025216.12564-1-TonyWWang-oc@zhaoxin.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
* Introduce socket‑aware pin definition macros for multi‑socket platforms * Split global pin table into per‑socket pin tables with UID soc_data * Use UID‑based probe to match multi‑socket instances * Dynamically acquire PMIO IO resource instead of hard‑coding address * Fix PMIO offset for multi‑socket compatibility Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Currently, cper_print_pcie() only logs Uncorrectable Error Status, Mask and Severity registers along with the TLP header. If a correctable error is received immediately preceding or following an Uncorrectable Fatal Error, its information is lost since Correctable Error Status and Mask registers are not logged. As such, to avoid skipping any possible error information, Correctable Error Status and Mask registers should also be logged. Additionally, ensure that AER information is also available through cper_print_pcie() for Correctable and Uncorrectable Non-Fatal Errors. Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com> Tested-by: Avadhut Naik <avadhut.naik@amd.com> Signed-off-by: Avadhut Naik <avadhut.naik@amd.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
This adds the DEVFREQ driver for Phytium Net On Chip.It adjusts frequency for noc based on load bandwidth obtained from register. Signed-off-by: Li Jiayi <lijiayi1493@phytium.com.cn> Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
This adds the DEVFREQ driver for Phytium DDR Memory Unit.It adjusts frequency for dmu based on load bandwidth obtained from register. Signed-off-by: Li Jiayi <lijiayi1493@phytium.com.cn> Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
The patch fixed dmu/noc devfreq driver some memory leak problem. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
The patch retrieves the base address from the ACPI table instead of being directly exposed inside the driver. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
This patch modifies and adds the following functions: 1). On account of DMU and DDR PMU drivers operate PMU registers at the same time, which will result in conflict. So the register operation of se in dmufreq is transferred to the upper driver. 2). The notification chain of dmufreq to DDR PMU is added in order to suspend dmufreq's register action and maintain the rate at the current frequency when the PMU driver is loaded. 3). Add suspend and resume features. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Change the default strategy for the DMU freq driver from simple demand to the performance mode. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Firstly, replace ioremap with devm_ioremap. The advantage of this approach is that it can be automatically managed during the unloading stage, eliminating the need for manual resource cleanup, thus preventing resource leakage. Secondly, resolve the repeated printing issues. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Delete the unnecessary release of resources when using devm_kzalloc function to allocate memory. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
This patch adds power mangement interface, Specifically adds the phytium_nocfreq_suspend/phytium_nocfreq_resume functions so that the frequency can be restored upon waking up. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Optimize the timer logic for sampling, with the aim of reducing the frequent calls made by processes within the system. It is very helpfull to reduce power consumption. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
uring driver probe, functions like get_freq_count() and phytium_noc_get_freq_info() call acpi_evaluate_object() with ACPI_ALLOCATE_BUFFER. This interface allocates memory via kmalloc to store the returned ACPI package, but the allocated buffer was never released after use. kmemleak reports unreferenced objects coming from acpi_ut_initialize_buffer() when probing the Phytium DMU freq drivers. Fix this by calling kfree(buffer.pointer) after the ACPI package has been parsed. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
During driver probe, functions like get_freq_count() and phytium_noc_get_freq_info() call acpi_evaluate_object() with ACPI_ALLOCATE_BUFFER. This interface allocates memory via kmalloc to store the returned ACPI package, but the allocated buffer was never released after use. kmemleak reports unreferenced objects coming from acpi_ut_initialize_buffer() when probing the Phytium NOC freq drivers. Fix this by calling kfree(buffer.pointer) after the ACPI package has been parsed. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Add DMU DEVFREQ driver Support for Phytium PS260xxx SoCs, and complatible with PD2408. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Add NOC DEVFREQ driver Support for Phytium PS260xxx SoCs, and complatible with PD2408. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Move governor selection after priv allocation and adjust data handing logic. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Improves NoC-V2 devfreq behavior by fixing low-load oscillation, speeding up ramp-up under rising traffic, and adding hysteresis to reduce frequent back-and-forth transitions between adjacent levels. Signed-off-by: Li Mingzhe <limingzhe1839@phytium.com.cn> Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn> Signed-off-by: Ma Mingrui <mamingrui1243@phytium.com.cn>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
zhaoxin inclusion category: feature -------------------- Add newer Centaur HD Audio PCI IDs, and HDMI codec vendor IDs. Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
This patch simplifies the save_microcode_patch() function in the Zhaoxin microcode driver by removing unnecessary variables and streamlining the memory allocation and copying logic. The changes include: - Remove the unused local variable 'mc'. - Directly handle memory allocation failure without redundant checks. - Simplify the memcpy and assignment to zhaoxin_ucode_patch. This improves code readability and reduces complexity without changing functionality. Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
zhaoxin inclusion category: feature ------------------- Add some special initialization for Zhaoxin SB HDAC. Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
zhaoxin inclusion category: feature -------------------- Due to hardware limitations, it is necessary to avoid situations where some cores are waiting to receive startup while other cores are updating microcode. Therefore, cpu startup must be serialized when microcode updates are required. Reviewed-by: Tony W. Wang <tonywwang@zhaoxin.com> Signed-off-by: Lyle Li <lyleli@zhaoxin.com> Signed-off-by: LeoLiu-oc <leoliu-oc@zhaoxin.com>
Reviewer's guide (collapsed on small PRs)Reviewer's GuideReplaces unsafe sprintf() calls with bounded snprintf() in the kernel lockdown module to eliminate a potential stack buffer overflow when formatting lockdown reason labels. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
Hi @orbisai0security. Thanks for your PR. 😃 |
|
Hi @orbisai0security. Thanks for your PR. I'm waiting for a deepin-community member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- When switching to snprintf, you should guard against offset growing beyond sizeof(temp) (to avoid size_t underflow in sizeof(temp) - offset) and early-return or stop appending once the buffer is full.
- Consider using scnprintf (or at least checking the snprintf return value) so that offset is updated correctly in the presence of truncation rather than assuming the full string was written.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- When switching to snprintf, you should guard against offset growing beyond sizeof(temp) (to avoid size_t underflow in sizeof(temp) - offset) and early-return or stop appending once the buffer is full.
- Consider using scnprintf (or at least checking the snprintf return value) so that offset is updated correctly in the presence of truncation rather than assuming the full string was written.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
@orbisai0security can you address code review comments? |
There was a problem hiding this comment.
Pull request overview
Updates security/lockdown/lockdown.c to mitigate a reported stack buffer overflow risk when formatting lockdown reason labels into a fixed-size stack buffer.
Changes:
- Replace
sprintf()calls withsnprintf()while building thetempbuffer inlockdown_read().
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+102
to
+105
| if (kernel_locked_down == level) | ||
| offset += sprintf(temp+offset, "[%s] ", label); | ||
| offset += snprintf(temp+offset, sizeof(temp) - offset, "[%s] ", label); | ||
| else | ||
| offset += sprintf(temp+offset, "%s ", label); | ||
| offset += snprintf(temp+offset, sizeof(temp) - offset, "%s ", label); |
Member
There was a problem hiding this comment.
There was a problem hiding this comment.
@orbisai0security can you address code review comments?
Author
|
✅ Changes Applied I've updated the code based on your feedback: The current Two changes address all reviewer feedback:
Files modified:
The changes have been pushed to this PR branch. Please review! |
Author
|
✅ Changes Applied I've updated the code based on your feedback: The code already uses Files modified:
The changes have been pushed to this PR branch. Please review! |
Member
[1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin |
Replace sprintf() with scnprintf() in lockdown_read() to prevent a potential stack buffer overflow when building the lockdown reasons string. sprintf() does not enforce bounds on bytes written, so if lockdown reason labels are longer than expected, the cumulative offset can exceed the fixed-size stack buffer, overwriting adjacent memory. Switch to scnprintf() which returns the number of bytes actually written (capped at buffer capacity), and add an early-break guard when offset reaches buffer capacity to prevent size_t underflow in the remaining-size calculation. Assisted-by: Claude:claude-opus-4-6-v1 Signed-off-by: OrbisAI Security <mediratta01.pally@gmail.com>
orbisai0security
force-pushed
the
fix-lockdown-sprintf-buffer-overflow
branch
from
ed8dcde to
30ea88d
Compare
Author
This is addressed now. Pls review. |
Comment on lines
+102
to
+107
| if (offset >= sizeof(temp) - 1) | ||
| break; | ||
| if (kernel_locked_down == level) | ||
| offset += sprintf(temp+offset, "[%s] ", label); | ||
| offset += scnprintf(temp + offset, sizeof(temp) - (size_t)offset, "[%s] ", label); | ||
| else | ||
| offset += sprintf(temp+offset, "%s ", label); | ||
| offset += scnprintf(temp + offset, sizeof(temp) - (size_t)offset, "%s ", label); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix critical severity security issue in
security/lockdown/lockdown.c.Vulnerability
V-001security/lockdown/lockdown.c:103Description: The kernel lockdown security module uses sprintf() to build a string into a fixed-size stack buffer 'temp' at lines 103 and 105. The sprintf() function does not enforce any bound on the number of bytes written relative to the remaining buffer capacity. Each call accumulates bytes into 'offset' without checking whether the remaining buffer space is sufficient. If the 'label' string is longer than expected, the cumulative offset can exceed the buffer size, overwriting adjacent stack memory including saved registers and return addresses, enabling arbitrary code execution in kernel (ring 0) context.
Changes
security/lockdown/lockdown.cVerification
Automated security fix by OrbisAI Security
Summary by Sourcery
Bug Fixes: