From 4b8aba93bdba168f284036cd7f8cb0e988bf3f92 Mon Sep 17 00:00:00 2001 From: Andrew Goodbody Date: Wed, 23 Jul 2025 11:34:35 +0100 Subject: [PATCH 1/2] bios_emulator: Fix buffer overflow Using strcpy to copy a 4 character string into a 4 byte field in a structure will overflow that field as it writes the terminating \0 into the following field. Correct this by using memcpy instead. This issue was found by Smatch. Signed-off-by: Andrew Goodbody --- drivers/bios_emulator/atibios.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/bios_emulator/atibios.c b/drivers/bios_emulator/atibios.c index d544ffb5ffb..e992a1aa822 100644 --- a/drivers/bios_emulator/atibios.c +++ b/drivers/bios_emulator/atibios.c @@ -99,7 +99,7 @@ static int atibios_debug_mode(BE_VGAInfo *vga_info, RMREGS *regs, regs->e.edi = buffer_adr; info = buffer; memset(info, '\0', sizeof(*info)); - strcpy(info->signature, "VBE2"); + memcpy(info->signature, "VBE2", 4); BE_int86(0x10, regs, regs); if (regs->e.eax != 0x4f) { debug("VESA_GET_INFO: error %x\n", regs->e.eax); From 0fdcca86d87b3b723cdfc9901f02f14adba9df60 Mon Sep 17 00:00:00 2001 From: Andrew Goodbody Date: Wed, 23 Jul 2025 11:34:36 +0100 Subject: [PATCH 2/2] bios_emulator: Add parens to xorl macro The xorl macro lacked surrounding parens which meant that it could have unexpected results when used in expressions. Fix this by adding the surrounding parens to make its use predictable. This issue was found by Smatch. Signed-off-by: Andrew Goodbody --- drivers/bios_emulator/x86emu/ops2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/bios_emulator/x86emu/ops2.c b/drivers/bios_emulator/x86emu/ops2.c index 1ff27b2af95..29a166f7fe9 100644 --- a/drivers/bios_emulator/x86emu/ops2.c +++ b/drivers/bios_emulator/x86emu/ops2.c @@ -66,7 +66,7 @@ void x86emuOp2_illegal_op( END_OF_INSTR(); } -#define xorl(a,b) ((a) && !(b)) || (!(a) && (b)) +#define xorl(a, b) (((a) && !(b)) || (!(a) && (b))) /**************************************************************************** REMARKS: