CVE-2024-42301: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42301 affects the Linux kernel's parallel port driver (dev/parport). The vulnerability was discovered and disclosed in August 2024, involving an array out-of-bounds risk in the parallel port driver's procfs interface. The issue affects multiple versions of the Linux kernel from version 4.19 up to version 6.10.3 (NVD).

The vulnerability stems from unsafe usage of sprintf() functions in the parallel port driver's procfs interface, which could lead to buffer overflows. The issue occurs specifically in the dohardwarebase_addr function where a fixed-size buffer was used without proper bounds checking. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability can lead to kernel stack corruption, potentially resulting in a system crash (kernel panic). This was demonstrated in the reported stack trace where the kernel stack was corrupted in the dohardwarebase_addr function (Kernel Patch).

The vulnerability has been fixed by replacing all instances of sprintf with snprintf in the affected code, ensuring proper buffer size checking. The fix involves increasing the buffer size from 20 to 64 bytes and using snprintf throughout the code to prevent buffer overflows. The patch has been merged into the mainline kernel and backported to affected stable kernel versions (Kernel Patch).