Running KASAN-enabled kernel with ACPI_DEBUG_OUTPUT, I've noticed
the following:
BUG: KASAN: global-out-of-bounds in acpi_ut_safe_strncpy+0x25/0x70
Read of size 16 at addr ffffffff8bf2bee0 by task swapper/0/1
CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-08486-gf66bc387efbe #17 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250
...
kasan_check_range+0x2b0/0x2c0
__asan_memcpy+0x29/0x70
acpi_ut_safe_strncpy+0x25/0x70
acpi_ps_alloc_op+0x201/0x3a0
...
The buggy address belongs to the variable:
.str.8+0x0/0x20
This happens when 'acpi_ut_safe_strncpy()' makes an attempt to copy to
the destination which is larger than source, and may be fixed by using
'strscpy()' (which also guarantees NUL termination for a destination).
Fixes: ebf27765421c ("ACPICA: Replace strncpy() with memcpy()")
Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
---
drivers/acpi/acpica/utnonansi.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/acpi/acpica/utnonansi.c b/drivers/acpi/acpica/utnonansi.c
index 803e3e893825..1447d8689209 100644
--- a/drivers/acpi/acpica/utnonansi.c
+++ b/drivers/acpi/acpica/utnonansi.c
@@ -166,10 +166,7 @@ acpi_ut_safe_strncat(char *dest,
void acpi_ut_safe_strncpy(char *dest, char *source, acpi_size dest_size)
{
- /* Always terminate destination string */
-
- memcpy(dest, source, dest_size);
- dest[dest_size - 1] = 0;
+ strscpy(dest, source, dest_size);
}
#endif
--
2.49.0
