From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Macpaul Lin <macpaul@gmail.com>,
Daniel Thompson <daniel.thompson@linaro.org>
Subject: [PATCH 4.9 44/51] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
Date: Tue, 11 Dec 2018 16:41:52 +0100 [thread overview]
Message-ID: <20181211151617.788916497@linuxfoundation.org> (raw)
In-Reply-To: <20181211151612.328911565@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Macpaul Lin <macpaul@gmail.com>
commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."
[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&] ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------
After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.
Signed-off-by: Macpaul Lin <macpaul@gmail.com>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/kgdboc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/kgdboc.c
+++ b/drivers/tty/serial/kgdboc.c
@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr)
static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
{
- int len = strlen(kmessage);
+ size_t len = strlen(kmessage);
if (len >= MAX_CONFIG_LEN) {
printk(KERN_ERR "kgdboc: config string too long\n");
@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch
strcpy(config, kmessage);
/* Chop out \n char as a result of echo */
- if (config[len - 1] == '\n')
+ if (len && config[len - 1] == '\n')
config[len - 1] = '\0';
if (configured == 1)
next prev parent reply other threads:[~2018-12-11 15:50 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 15:41 [PATCH 4.9 00/51] 4.9.145-stable review Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 01/51] media: omap3isp: Unregister media device as first Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 02/51] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 03/51] brcmutil: really fix decoding channel info for 160 MHz bandwidth Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 04/51] iommu/ipmmu-vmsa: Fix crash on early domain free Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 05/51] can: rcar_can: Fix erroneous registration Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 06/51] HID: input: Ignore battery reported by Symbol DS4308 Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 07/51] batman-adv: Expand merged fragment buffer for full packet Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 08/51] bnx2x: Assign unique DMAE channel number for FW DMAE transactions Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 09/51] qed: Fix PTT leak in qed_drain() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 10/51] qed: Fix reading wrong value in loop condition Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 11/51] net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 12/51] net/mlx4_core: Fix uninitialized variable compilation warning Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 13/51] net/mlx4: Fix UBSAN warning of signed integer overflow Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 14/51] mtd: rawnand: qcom: Namespace prefix some commands Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 15/51] net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 16/51] iommu/vt-d: Use memunmap to free memremap Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 17/51] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 18/51] net: amd: add missing of_node_put() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 19/51] mm: dont warn about allocations which stall for too long Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 20/51] ARC: [zebu] Remove CONFIG_INITRAMFS_SOURCE from defconfigs Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 21/51] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 22/51] usb: appledisplay: Add 27" Apple Cinema Display Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 23/51] USB: check usb_get_extra_descriptor for proper size Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 24/51] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 25/51] ALSA: hda: Add support for AMD Stoney Ridge Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 26/51] ALSA: pcm: Fix starvation on down_write_nonblock() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 27/51] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 28/51] ALSA: pcm: Fix interval evaluation with openmin/max Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 29/51] ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570 Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 30/51] virtio/s390: avoid race on vcdev->config Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 31/51] virtio/s390: fix race in ccw_io_helper() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 32/51] SUNRPC: Fix leak of krb5p encode pages Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 33/51] dmaengine: cppi41: delete channel from pending list when stop channel Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 34/51] xhci: Prevent U1/U2 link pm states if exit latency is too long Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 35/51] sr: pass down correctly sized SCSI sense buffer Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 36/51] swiotlb: clean up reporting Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 37/51] vsock: lookup and setup guest_cid inside vhost_vsock_lock Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 38/51] vhost/vsock: fix use-after-free in network stack callers Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 39/51] Staging: lustre: remove two build warnings Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 40/51] cifs: Fix separator when building path from dentry Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 41/51] staging: rtl8712: Fix possible buffer overrun Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 42/51] tty: serial: 8250_mtk: always resume the device in probe Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 43/51] tty: do not set TTY_IO_ERROR flag if console port Greg Kroah-Hartman
2018-12-11 15:41 ` Greg Kroah-Hartman [this message]
2018-12-11 15:41 ` [PATCH 4.9 45/51] mac80211_hwsim: Timer should be initialized before device registered Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 46/51] mac80211: Clear beacon_int in ieee80211_do_stop Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 47/51] mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 48/51] mac80211: fix reordering of buffered broadcast packets Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 49/51] mac80211: ignore NullFunc frames in the duplicate detection Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 50/51] kbuild: fix linker feature test macros when cross compiling with Clang Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.9 51/51] kbuild: allow to use GCC toolchain not in Clang search path Greg Kroah-Hartman
2018-12-11 20:33 ` [PATCH 4.9 00/51] 4.9.145-stable review kernelci.org bot
2018-12-11 23:57 ` shuah
2018-12-12 6:45 ` Naresh Kamboju
2018-12-12 18:49 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211151617.788916497@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel.thompson@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=macpaul@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox