Date: Tue, 11 Jun 2019 07:48:37 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238486] Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c Message-ID: <bug-238486-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238486 Bug ID: 238486 Summary: Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204976 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204976&action= =3Dedit Proposed patch There is a possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c. k0 =3D kbd_get_keyboard(idx0); for (idx =3D kbd_find_keyboard2("*", -1, 0); idx !=3D -1; idx =3D kbd_find_keyboard2("*", -1, idx + 1)) { k =3D kbd_get_keyboard(idx); if (idx =3D=3D idx0 || KBD_IS_BUSY(k)) continue; bzero(&ki, sizeof(ki)); strcpy(ki.kb_name, k->kb_name); ki.kb_unit =3D k->kb_unit; (void)kbdd_ioctl(k0, KBADDKBD, (caddr_t) &ki); } We should use strncpy to copy into a fixed-size buffer instead of strcpy(). The attachment is the proposed patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238486-227>