From: Adrian Hunter <adrian.hunter@intel.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Aaron Tomlin <atomlin@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Jiri Olsa <jolsa@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] modules: Fix corruption of /proc/kallsyms
Date: Mon, 11 Jul 2022 10:48:16 +0300 [thread overview]
Message-ID: <edcf6946-1c47-c01a-e795-e874f42b2e2d@intel.com> (raw)
In-Reply-To: <Yr9p4YOOfJp5evCq@bombadil.infradead.org>
On 2/07/22 00:40, Luis Chamberlain wrote:
> On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
>> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
>> file") changed from using strlcpy() to using strscpy() which created a
>> buffer overflow. That happened because:
>> 1) an incorrect value was passed as the buffer length
>> 2) strscpy() (unlike strlcpy()) may copy beyond the length of the
>> input string when copying word-by-word.
>> The assumption was that because it was already known that the strings
>> being copied would fit in the space available, it was not necessary
>> to correctly set the buffer length. strscpy() breaks that assumption
>> because although it will not touch bytes beyond the given buffer length
>> it may write bytes beyond the input string length when writing
>> word-by-word.
>>
>> The result of the buffer overflow is to corrupt the symbol type
>> information that follows. e.g.
>>
>> $ sudo cat -v /proc/kallsyms | grep '\^' | head
>> ffffffffc0615000 ^@ rfcomm_session_get [rfcomm]
>> ffffffffc061c060 ^@ session_list [rfcomm]
>> ffffffffc06150d0 ^@ rfcomm_send_frame [rfcomm]
>> ffffffffc0615130 ^@ rfcomm_make_uih [rfcomm]
>> ffffffffc07ed58d ^@ bnep_exit [bnep]
>> ffffffffc07ec000 ^@ bnep_rx_control [bnep]
>> ffffffffc07ec1a0 ^@ bnep_session [bnep]
>> ffffffffc07e7000 ^@ input_leds_event [input_leds]
>> ffffffffc07e9000 ^@ input_leds_handler [input_leds]
>> ffffffffc07e7010 ^@ input_leds_disconnect [input_leds]
>>
>> Notably, the null bytes (represented above by ^@) can confuse tools.
>>
>> Fix by correcting the buffer length.
>>
>> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
>> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
>
> Queued up thanks!
>
> Luis
Thanks for processing this.
I notice it is -rc6 and I do not see it in Linus' tree. This is a fix
for a regression, shouldn't it be included in 5.19?
next prev parent reply other threads:[~2022-07-11 7:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-01 9:44 [PATCH] modules: Fix corruption of /proc/kallsyms Adrian Hunter
2022-07-01 21:40 ` Luis Chamberlain
2022-07-11 7:48 ` Adrian Hunter [this message]
2022-07-11 16:02 ` Luis Chamberlain
2022-07-11 17:37 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edcf6946-1c47-c01a-e795-e874f42b2e2d@intel.com \
--to=adrian.hunter@intel.com \
--cc=acme@kernel.org \
--cc=atomlin@redhat.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox