CVE-2022-50828

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: zynqmp: Fix stack-out-of-bounds in strncpy`<br /> <br /> "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68"<br /> <br /> Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is<br /> longer than 15 bytes, string terminated NULL character will not be received<br /> by Linux. Add explicit NULL character at last byte to fix issues when clock<br /> name is longer.<br /> <br /> This fixes below bug reported by KASAN:<br /> <br /> ==================================================================<br /> BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68<br /> Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1<br /> <br /> CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3<br /> Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)<br /> Call trace:<br /> dump_backtrace+0x0/0x1e8<br /> show_stack+0x14/0x20<br /> dump_stack+0xd4/0x108<br /> print_address_description.isra.0+0xbc/0x37c<br /> __kasan_report+0x144/0x198<br /> kasan_report+0xc/0x18<br /> __asan_load1+0x5c/0x68<br /> strncpy+0x30/0x68<br /> zynqmp_clock_probe+0x238/0x7b8<br /> platform_drv_probe+0x6c/0xc8<br /> really_probe+0x14c/0x418<br /> driver_probe_device+0x74/0x130<br /> __device_attach_driver+0xc4/0xe8<br /> bus_for_each_drv+0xec/0x150<br /> __device_attach+0x160/0x1d8<br /> device_initial_probe+0x10/0x18<br /> bus_probe_device+0xe0/0xf0<br /> device_add+0x528/0x950<br /> of_device_add+0x5c/0x80<br /> of_platform_device_create_pdata+0x120/0x168<br /> of_platform_bus_create+0x244/0x4e0<br /> of_platform_populate+0x50/0xe8<br /> zynqmp_firmware_probe+0x370/0x3a8<br /> platform_drv_probe+0x6c/0xc8<br /> really_probe+0x14c/0x418<br /> driver_probe_device+0x74/0x130<br /> device_driver_attach+0x94/0xa0<br /> __driver_attach+0x70/0x108<br /> bus_for_each_dev+0xe4/0x158<br /> driver_attach+0x30/0x40<br /> bus_add_driver+0x21c/0x2b8<br /> driver_register+0xbc/0x1d0<br /> __platform_driver_register+0x7c/0x88<br /> zynqmp_firmware_driver_init+0x1c/0x24<br /> do_one_initcall+0xa4/0x234<br /> kernel_init_freeable+0x1b0/0x24c<br /> kernel_init+0x10/0x110<br /> ret_from_fork+0x10/0x18<br /> <br /> The buggy address belongs to the page:<br /> page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0<br /> raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000000ffffffff<br /> page dumped because: kasan: bad access detected<br /> <br /> addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:<br /> zynqmp_clock_probe+0x0/0x7b8<br /> <br /> this frame has 3 objects:<br /> [32, 44) &amp;#39;response&amp;#39;<br /> [64, 80) &amp;#39;ret_payload&amp;#39;<br /> [96, 112) &amp;#39;name&amp;#39;<br /> <br /> Memory state around the buggy address:<br /> ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2<br /> &gt;ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00<br /> ^<br /> ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ==================================================================