diff --git a/.jules/sentinel.md b/.jules/sentinel.md index fcf926b7d82870..e7253d0f531731 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -102,3 +102,7 @@ **Vulnerability:** In `package/network/config/netifd/files/lib/netifd/utils.uc`, the `handler_load` function iterates over `.sh` scripts in a directory and uses their `basename` to execute them via a string interpolated `system()` call (`system("./${script} ...")`). If an attacker could place a maliciously named file in the parsed directory (e.g., `$(touch \/tmp\/pwned).sh`), it would result in arbitrary command execution. **Learning:** In `ucode` scripts, `system()` with a string argument is executed by the shell (`/bin/sh -c`). When using variables derived from filenames or external sources within these string templates, failure to sanitize allows shell metacharacter injection. **Prevention:** To protect `system()` or `fs.popen()` when string interpolation is unavoidable, always strictly validate variables using regex allowlists (e.g., `if (match(script, /[^a-zA-Z0-9_.-]/)) continue;`) to ensure only safe characters are evaluated by the shell. +## 2026-05-22 - [Fix buffer overflow risk in AR8327 LED driver] +**Vulnerability:** Unbounded `strcpy` used for copying dynamic string into flexible array member without reusing precalculated length. +**Learning:** In kernel modules, `strcpy` should be replaced with `strscpy`, and size variables should be precalculated to avoid TOCTOU races between allocation and copying. +**Prevention:** Use `strscpy` with a precalculated length variable instead of `strcpy` and `strlen`. diff --git a/target/linux/generic/files/drivers/net/phy/ar8327.c b/target/linux/generic/files/drivers/net/phy/ar8327.c index 95a452f6ab3928..558dc362dfc710 100644 --- a/target/linux/generic/files/drivers/net/phy/ar8327.c +++ b/target/linux/generic/files/drivers/net/phy/ar8327.c @@ -307,6 +307,7 @@ ar8327_led_create(struct ar8xxx_priv *priv, { struct ar8327_data *data = priv->chip_data; struct ar8327_led *aled; + size_t name_len; int ret; if (!IS_ENABLED(CONFIG_AR8216_PHY_LEDS)) @@ -318,7 +319,8 @@ ar8327_led_create(struct ar8xxx_priv *priv, if (led_info->led_num >= AR8327_NUM_LEDS) return -EINVAL; - aled = kzalloc(struct_size(aled, name, strlen(led_info->name) + 1), + name_len = strlen(led_info->name) + 1; + aled = kzalloc(struct_size(aled, name, name_len), GFP_KERNEL); if (!aled) return -ENOMEM; @@ -332,7 +334,7 @@ ar8327_led_create(struct ar8xxx_priv *priv, if (aled->mode == AR8327_LED_MODE_HW) aled->enable_hw_mode = true; - strcpy(aled->name, led_info->name); + strscpy(aled->name, led_info->name, name_len); aled->cdev.name = aled->name; aled->cdev.brightness_set = ar8327_led_set_brightness;