From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Miles Chen <miles.chen@mediatek.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.18 16/45] tty: check name length in tty_find_polling_driver()
Date: Sun, 4 Nov 2018 08:52:11 -0500 [thread overview]
Message-ID: <20181104135240.88431-16-sashal@kernel.org> (raw)
In-Reply-To: <20181104135240.88431-1-sashal@kernel.org>
From: Miles Chen <miles.chen@mediatek.com>
[ Upstream commit 33a1a7be198657c8ca26ad406c4d2a89b7162bcc ]
The issue is found by a fuzzing test.
If tty_find_polling_driver() recevies an incorrect input such as
',,' or '0b', the len becomes 0 and strncmp() always return 0.
In this case, a null p->ops->poll_init() is called and it causes a kernel
panic.
Fix this by checking name length against zero in tty_find_polling_driver().
$echo ,, > /sys/module/kgdboc/parameters/kgdboc
[ 20.804451] WARNING: CPU: 1 PID: 104 at drivers/tty/serial/serial_core.c:457
uart_get_baud_rate+0xe8/0x190
[ 20.804917] Modules linked in:
[ 20.805317] CPU: 1 PID: 104 Comm: sh Not tainted 4.19.0-rc7ajb #8
[ 20.805469] Hardware name: linux,dummy-virt (DT)
[ 20.805732] pstate: 20000005 (nzCv daif -PAN -UAO)
[ 20.805895] pc : uart_get_baud_rate+0xe8/0x190
[ 20.806042] lr : uart_get_baud_rate+0xc0/0x190
[ 20.806476] sp : ffffffc06acff940
[ 20.806676] x29: ffffffc06acff940 x28: 0000000000002580
[ 20.806977] x27: 0000000000009600 x26: 0000000000009600
[ 20.807231] x25: ffffffc06acffad0 x24: 00000000ffffeff0
[ 20.807576] x23: 0000000000000001 x22: 0000000000000000
[ 20.807807] x21: 0000000000000001 x20: 0000000000000000
[ 20.808049] x19: ffffffc06acffac8 x18: 0000000000000000
[ 20.808277] x17: 0000000000000000 x16: 0000000000000000
[ 20.808520] x15: ffffffffffffffff x14: ffffffff00000000
[ 20.808757] x13: ffffffffffffffff x12: 0000000000000001
[ 20.809011] x11: 0101010101010101 x10: ffffff880d59ff5f
[ 20.809292] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
[ 20.809549] x7 : 0000000000000000 x6 : ffffff880d59ff5f
[ 20.809803] x5 : 0000000080008001 x4 : 0000000000000003
[ 20.810056] x3 : ffffff900853e6b4 x2 : dfffff9000000000
[ 20.810693] x1 : ffffffc06acffad0 x0 : 0000000000000cb0
[ 20.811005] Call trace:
[ 20.811214] uart_get_baud_rate+0xe8/0x190
[ 20.811479] serial8250_do_set_termios+0xe0/0x6f4
[ 20.811719] serial8250_set_termios+0x48/0x54
[ 20.811928] uart_set_options+0x138/0x1bc
[ 20.812129] uart_poll_init+0x114/0x16c
[ 20.812330] tty_find_polling_driver+0x158/0x200
[ 20.812545] configure_kgdboc+0xbc/0x1bc
[ 20.812745] param_set_kgdboc_var+0xb8/0x150
[ 20.812960] param_attr_store+0xbc/0x150
[ 20.813160] module_attr_store+0x40/0x58
[ 20.813364] sysfs_kf_write+0x8c/0xa8
[ 20.813563] kernfs_fop_write+0x154/0x290
[ 20.813764] vfs_write+0xf0/0x278
[ 20.813951] __arm64_sys_write+0x84/0xf4
[ 20.814400] el0_svc_common+0xf4/0x1dc
[ 20.814616] el0_svc_handler+0x98/0xbc
[ 20.814804] el0_svc+0x8/0xc
[ 20.822005] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 20.826913] Mem abort info:
[ 20.827103] ESR = 0x84000006
[ 20.827352] Exception class = IABT (current EL), IL = 16 bits
[ 20.827655] SET = 0, FnV = 0
[ 20.827855] EA = 0, S1PTW = 0
[ 20.828135] user pgtable: 4k pages, 39-bit VAs, pgdp = (____ptrval____)
[ 20.828484] [0000000000000000] pgd=00000000aadee003, pud=00000000aadee003, pmd=0000000000000000
[ 20.829195] Internal error: Oops: 84000006 [#1] SMP
[ 20.829564] Modules linked in:
[ 20.829890] CPU: 1 PID: 104 Comm: sh Tainted: G W 4.19.0-rc7ajb #8
[ 20.830545] Hardware name: linux,dummy-virt (DT)
[ 20.830829] pstate: 60000085 (nZCv daIf -PAN -UAO)
[ 20.831174] pc : (null)
[ 20.831457] lr : serial8250_do_set_termios+0x358/0x6f4
[ 20.831727] sp : ffffffc06acff9b0
[ 20.831936] x29: ffffffc06acff9b0 x28: ffffff9008d7c000
[ 20.832267] x27: ffffff900969e16f x26: 0000000000000000
[ 20.832589] x25: ffffff900969dfb0 x24: 0000000000000000
[ 20.832906] x23: ffffffc06acffad0 x22: ffffff900969e160
[ 20.833232] x21: 0000000000000000 x20: ffffffc06acffac8
[ 20.833559] x19: ffffff900969df90 x18: 0000000000000000
[ 20.833878] x17: 0000000000000000 x16: 0000000000000000
[ 20.834491] x15: ffffffffffffffff x14: ffffffff00000000
[ 20.834821] x13: ffffffffffffffff x12: 0000000000000001
[ 20.835143] x11: 0101010101010101 x10: ffffff880d59ff5f
[ 20.835467] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
[ 20.835790] x7 : 0000000000000000 x6 : ffffff880d59ff5f
[ 20.836111] x5 : c06419717c314100 x4 : 0000000000000007
[ 20.836419] x3 : 0000000000000000 x2 : 0000000000000000
[ 20.836732] x1 : 0000000000000001 x0 : ffffff900969df90
[ 20.837100] Process sh (pid: 104, stack limit = 0x(____ptrval____))
[ 20.837396] Call trace:
[ 20.837566] (null)
[ 20.837816] serial8250_set_termios+0x48/0x54
[ 20.838089] uart_set_options+0x138/0x1bc
[ 20.838570] uart_poll_init+0x114/0x16c
[ 20.838834] tty_find_polling_driver+0x158/0x200
[ 20.839119] configure_kgdboc+0xbc/0x1bc
[ 20.839380] param_set_kgdboc_var+0xb8/0x150
[ 20.839658] param_attr_store+0xbc/0x150
[ 20.839920] module_attr_store+0x40/0x58
[ 20.840183] sysfs_kf_write+0x8c/0xa8
[ 20.840183] sysfs_kf_write+0x8c/0xa8
[ 20.840440] kernfs_fop_write+0x154/0x290
[ 20.840702] vfs_write+0xf0/0x278
[ 20.840942] __arm64_sys_write+0x84/0xf4
[ 20.841209] el0_svc_common+0xf4/0x1dc
[ 20.841471] el0_svc_handler+0x98/0xbc
[ 20.841713] el0_svc+0x8/0xc
[ 20.842057] Code: bad PC value
[ 20.842764] ---[ end trace a8835d7de79aaadf ]---
[ 20.843134] Kernel panic - not syncing: Fatal exception
[ 20.843515] SMP: stopping secondary CPUs
[ 20.844289] Kernel Offset: disabled
[ 20.844634] CPU features: 0x0,21806002
[ 20.844857] Memory Limit: none
[ 20.845172] ---[ end Kernel panic - not syncing: Fatal exception ]---
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/tty_io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 31d06f59c4e4..da45120d9453 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -408,7 +408,7 @@ struct tty_driver *tty_find_polling_driver(char *name, int *line)
mutex_lock(&tty_mutex);
/* Search through the tty devices to look for a match */
list_for_each_entry(p, &tty_drivers, tty_drivers) {
- if (strncmp(name, p->name, len) != 0)
+ if (!len || strncmp(name, p->name, len) != 0)
continue;
stp = str;
if (*stp == ',')
--
2.17.1
next prev parent reply other threads:[~2018-11-04 14:03 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-04 13:51 [PATCH AUTOSEL 4.18 01/45] mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition Sasha Levin
2018-11-04 13:51 ` [PATCH AUTOSEL 4.18 02/45] mm: thp: fix mmu_notifier in migrate_misplaced_transhuge_page() Sasha Levin
2018-11-04 13:51 ` [PATCH AUTOSEL 4.18 03/45] mm: calculate deferred pages after skipping mirrored memory Sasha Levin
2018-11-04 13:51 ` [PATCH AUTOSEL 4.18 04/45] mm/vmstat.c: assert that vmstat_text is in sync with stat_items_size Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 05/45] userfaultfd: allow get_mempolicy(MPOL_F_NODE|MPOL_F_ADDR) to trigger userfaults Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 06/45] mm: don't miss the last page because of round-off error Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 07/45] mm: don't warn about large allocations for slab Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 08/45] powerpc/traps: restore recoverability of machine_check interrupts Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 09/45] powerpc/64/module: REL32 relocation range check Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 10/45] powerpc/mm: Fix page table dump to work on Radix Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 11/45] powerpc/mm: fix always true/false warning in slice.c Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 12/45] drm/amd/display: fix bug of accessing invalid memory Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 13/45] Input: wm97xx-ts - fix exit path Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 14/45] powerpc/Makefile: Fix PPC_BOOK3S_64 ASFLAGS Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 15/45] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() Sasha Levin
2018-11-04 13:52 ` Sasha Levin [this message]
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 17/45] tracing/kprobes: Check the probe on unloaded module correctly Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 18/45] drm/amdgpu/powerplay: fix missing break in switch statements Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 19/45] ARM: imx_v6_v7_defconfig: Select CONFIG_TMPFS_POSIX_ACL Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 20/45] powerpc/nohash: fix undefined behaviour when testing page size support Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 21/45] powerpc/mm: Don't report hugepage tables as memory leaks when using kmemleak Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 22/45] watchdog: lantiq: update register names to better match spec Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 23/45] drm/omap: fix memory barrier bug in DMM driver Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 24/45] iio: adc: at91: fix wrong channel number in triggered buffer mode Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 25/45] iio: adc: at91: fix acking DRDY irq on simple conversions Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 26/45] drm/amd/display: fix gamma not being applied Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 27/45] drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer pointer Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 28/45] media: pci: cx23885: handle adding to list failure Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 29/45] media: coda: don't overwrite h.264 profile_idc on decoder instance Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 30/45] iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs() Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 31/45] MIPS: kexec: Mark CPU offline before disabling local IRQ Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 32/45] powerpc/boot: Ensure _zimage_start is a weak symbol Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 33/45] powerpc/memtrace: Remove memory in chunks Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 34/45] MIPS/PCI: Call pcie_bus_configure_settings() to set MPS/MRRS Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 35/45] sc16is7xx: Fix for multi-channel stall Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 36/45] media: tvp5150: fix width alignment during set_selection() Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 37/45] powerpc/selftests: Wait all threads to join Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 38/45] staging:iio:ad7606: fix voltage scales Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 39/45] drm: rcar-du: Update Gen3 output limitations Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 40/45] drm/amdgpu: Fix SDMA TO after GPU reset v3 Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 41/45] staging: most: video: fix registration of an empty comp core_component Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 42/45] 9p locks: fix glock.client_id leak in do_lock Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 43/45] udf: Prevent write-unsupported filesystem to be remounted read-write Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 44/45] ARM: dts: imx6ull: keep IMX6UL_ prefix for signals on both i.MX6UL and i.MX6ULL Sasha Levin
2018-11-04 13:52 ` [PATCH AUTOSEL 4.18 45/45] 9p: clear dangling pointers in p9stat_free Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181104135240.88431-16-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miles.chen@mediatek.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.