From: Adrian Hunter <adrian.hunter@intel.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Aaron Tomlin <atomlin@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Jiri Olsa <jolsa@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] modules: Fix corruption of /proc/kallsyms
Date: Mon, 11 Jul 2022 10:48:16 +0300 [thread overview]
Message-ID: <edcf6946-1c47-c01a-e795-e874f42b2e2d@intel.com> (raw)
In-Reply-To: <Yr9p4YOOfJp5evCq@bombadil.infradead.org>
On 2/07/22 00:40, Luis Chamberlain wrote:
> On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
>> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
>> file") changed from using strlcpy() to using strscpy() which created a
>> buffer overflow. That happened because:
>> 1) an incorrect value was passed as the buffer length
>> 2) strscpy() (unlike strlcpy()) may copy beyond the length of the
>> input string when copying word-by-word.
>> The assumption was that because it was already known that the strings
>> being copied would fit in the space available, it was not necessary
>> to correctly set the buffer length. strscpy() breaks that assumption
>> because although it will not touch bytes beyond the given buffer length
>> it may write bytes beyond the input string length when writing
>> word-by-word.
>>
>> The result of the buffer overflow is to corrupt the symbol type
>> information that follows. e.g.
>>
>> $ sudo cat -v /proc/kallsyms | grep '\^' | head
>> ffffffffc0615000 ^@ rfcomm_session_get [rfcomm]
>> ffffffffc061c060 ^@ session_list [rfcomm]
>> ffffffffc06150d0 ^@ rfcomm_send_frame [rfcomm]
>> ffffffffc0615130 ^@ rfcomm_make_uih [rfcomm]
>> ffffffffc07ed58d ^@ bnep_exit [bnep]
>> ffffffffc07ec000 ^@ bnep_rx_control [bnep]
>> ffffffffc07ec1a0 ^@ bnep_session [bnep]
>> ffffffffc07e7000 ^@ input_leds_event [input_leds]
>> ffffffffc07e9000 ^@ input_leds_handler [input_leds]
>> ffffffffc07e7010 ^@ input_leds_disconnect [input_leds]
>>
>> Notably, the null bytes (represented above by ^@) can confuse tools.
>>
>> Fix by correcting the buffer length.
>>
>> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
>> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
>
> Queued up thanks!
>
> Luis
Thanks for processing this.
I notice it is -rc6 and I do not see it in Linus' tree. This is a fix
for a regression, shouldn't it be included in 5.19?
next prev parent reply other threads:[~2022-07-11 7:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-01 9:44 [PATCH] modules: Fix corruption of /proc/kallsyms Adrian Hunter
2022-07-01 21:40 ` Luis Chamberlain
2022-07-11 7:48 ` Adrian Hunter [this message]
2022-07-11 16:02 ` Luis Chamberlain
2022-07-11 17:37 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edcf6946-1c47-c01a-e795-e874f42b2e2d@intel.com \
--to=adrian.hunter@intel.com \
--cc=acme@kernel.org \
--cc=atomlin@redhat.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.