From 26574c1053e8f4e614d28d4e8542983589b2dfc3 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 02:06:45 +0000 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM?= =?UTF-8?q?]=20Fix=20unbounded=20strcpy=20in=20ar8327=20LED=20driver?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced `strcpy` with `strscpy` in `target/linux/generic/files/drivers/net/phy/ar8327.c` to prevent potential buffer overflows. Also precalculated `name_len` to avoid calling `strlen` twice and prevent TOCTOU races between allocation and copying. Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ target/linux/generic/files/drivers/net/phy/ar8327.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index fcf926b7d82870..e7253d0f531731 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -102,3 +102,7 @@ **Vulnerability:** In `package/network/config/netifd/files/lib/netifd/utils.uc`, the `handler_load` function iterates over `.sh` scripts in a directory and uses their `basename` to execute them via a string interpolated `system()` call (`system("./${script} ...")`). If an attacker could place a maliciously named file in the parsed directory (e.g., `$(touch \/tmp\/pwned).sh`), it would result in arbitrary command execution. **Learning:** In `ucode` scripts, `system()` with a string argument is executed by the shell (`/bin/sh -c`). When using variables derived from filenames or external sources within these string templates, failure to sanitize allows shell metacharacter injection. **Prevention:** To protect `system()` or `fs.popen()` when string interpolation is unavoidable, always strictly validate variables using regex allowlists (e.g., `if (match(script, /[^a-zA-Z0-9_.-]/)) continue;`) to ensure only safe characters are evaluated by the shell. +## 2026-05-22 - [Fix buffer overflow risk in AR8327 LED driver] +**Vulnerability:** Unbounded `strcpy` used for copying dynamic string into flexible array member without reusing precalculated length. +**Learning:** In kernel modules, `strcpy` should be replaced with `strscpy`, and size variables should be precalculated to avoid TOCTOU races between allocation and copying. +**Prevention:** Use `strscpy` with a precalculated length variable instead of `strcpy` and `strlen`. diff --git a/target/linux/generic/files/drivers/net/phy/ar8327.c b/target/linux/generic/files/drivers/net/phy/ar8327.c index 95a452f6ab3928..558dc362dfc710 100644 --- a/target/linux/generic/files/drivers/net/phy/ar8327.c +++ b/target/linux/generic/files/drivers/net/phy/ar8327.c @@ -307,6 +307,7 @@ ar8327_led_create(struct ar8xxx_priv *priv, { struct ar8327_data *data = priv->chip_data; struct ar8327_led *aled; + size_t name_len; int ret; if (!IS_ENABLED(CONFIG_AR8216_PHY_LEDS)) @@ -318,7 +319,8 @@ ar8327_led_create(struct ar8xxx_priv *priv, if (led_info->led_num >= AR8327_NUM_LEDS) return -EINVAL; - aled = kzalloc(struct_size(aled, name, strlen(led_info->name) + 1), + name_len = strlen(led_info->name) + 1; + aled = kzalloc(struct_size(aled, name, name_len), GFP_KERNEL); if (!aled) return -ENOMEM; @@ -332,7 +334,7 @@ ar8327_led_create(struct ar8xxx_priv *priv, if (aled->mode == AR8327_LED_MODE_HW) aled->enable_hw_mode = true; - strcpy(aled->name, led_info->name); + strscpy(aled->name, led_info->name, name_len); aled->cdev.name = aled->name; aled->cdev.brightness_set = ar8327_led_set_brightness; From 5e823cd7cd91c014e36410e25b31a6a28b0b1c48 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 02:13:33 +0000 Subject: [PATCH 2/4] =?UTF-8?q?net:=20phy:=20ar8327:=20=F0=9F=9B=A1?= =?UTF-8?q?=EF=B8=8F=20Sentinel:=20[MEDIUM]=20Fix=20unbounded=20strcpy=20i?= =?UTF-8?q?n=20ar8327=20LED=20driver?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced `strcpy` with `strscpy` in `target/linux/generic/files/drivers/net/phy/ar8327.c` to prevent potential buffer overflows. Also precalculated `name_len` to avoid calling `strlen` twice and prevent TOCTOU races between allocation and copying. Signed-off-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> From 3f08d3feb3215fabc5e2e60a8aff17fe0cfc5831 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 02:19:50 +0000 Subject: [PATCH 3/4] net: phy: ar8327: Sentinel: Fix unbounded strcpy in ar8327 LED driver Replaced `strcpy` with `strscpy` in `target/linux/generic/files/drivers/net/phy/ar8327.c` to prevent potential buffer overflows. Also precalculated `name_len` to avoid calling `strlen` twice and prevent TOCTOU races between allocation and copying. Signed-off-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> From f5be58e0e3bb1e78a17c2e93b0809e912b57e870 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 02:24:09 +0000 Subject: [PATCH 4/4] kernel: phy: ar8327: Sentinel: Fix unbounded strcpy in ar8327 LED driver Replaced `strcpy` with `strscpy` in `target/linux/generic/files/drivers/net/phy/ar8327.c` to prevent potential buffer overflows. Also precalculated `name_len` to avoid calling `strlen` twice and prevent TOCTOU races between allocation and copying. Signed-off-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com>