[PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel
@ 2024-07-26 13:48 Tj
  2024-07-27  5:10 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Tj @ 2024-07-26 13:48 UTC (permalink / raw)
  To: stable@vger.kernel.org; +Cc: Catalin Marinas, Will Deacon, Ard Biesheuvel

This is v6.8 specific; v6.9 is reported as not affected (due to
extensive code refactoring).

Commit dc3f5aae0638 reworked how early cmdline CPU feature parsing
is done, and converted to using memcmp() in preparation for the move to
the pi minimal C standard library.
As a result it caused a regression where-by a parameter >= 146
characters on the kernel command line would cause a silent panic with no
console clues as to why.
It is due to memcmp() in include/linux/fortify-string.h detecting an
attempted out-of-bounds read. The cause itself is subtle.

arch/arm64/kernel/idreg-override.c::__parse_cmdline() compares the
struct aliases entries with each parameter via memcmp().

#define FTR_ALIAS_NAME_LEN 30
#define FTR_ALIAS_OPTION_LEN 116
...
static const struct {
char alias[FTR_ALIAS_NAME_LEN];
char feature[FTR_ALIAS_OPTION_LEN];
} aliases[]

Each element is 146 characters. When a parameter is also 146 characters
the call looks like memcmp(buf, aliases[i].alias, len+1) where len is
the equivalent of strlen(buf) and +1 to compare including the trailing
NUL.

That triggers the fortified memcmp()'s:

if (p_size < size || q_size < size)
fortify_panic(__func__);

where q_size == 146, size == 147

The solution here is to not call memcmp() at all unless the two strings
have the same length.

Initially reported in Ubuntu (and confirmed to affect Debian and
Mainline):

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2069534

Signed-off-by: Tj <tj.iam.tj@proton.me>
---
 arch/arm64/kernel/idreg-override.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c
index e30fd9e32ef3a..9d2c120f378ae 100644
--- a/arch/arm64/kernel/idreg-override.c
+++ b/arch/arm64/kernel/idreg-override.c
@@ -308,7 +308,8 @@ static __init void __parse_cmdline(const char *cmdline, bool parse_aliases)
 		match_options(buf);

 		for (i = 0; parse_aliases && i < ARRAY_SIZE(aliases); i++)
-			if (!memcmp(buf, aliases[i].alias, len + 1))
+			if (len == strlen(aliases[i].alias) &&
+			    !memcmp(buf, aliases[i].alias, len + 1))
 				__parse_cmdline(aliases[i].feature, false);
 	} while (1);
 }
-- 
2.39.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel
  2024-07-26 13:48 [PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel Tj
@ 2024-07-27  5:10 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2024-07-27  5:10 UTC (permalink / raw)
  To: Tj; +Cc: stable@vger.kernel.org, Catalin Marinas, Will Deacon,
	Ard Biesheuvel

On Fri, Jul 26, 2024 at 01:48:44PM +0000, Tj wrote:
> This is v6.8 specific; v6.9 is reported as not affected (due to
> extensive code refactoring).

The 6.8.y kernel tree is long end-of-life, there's nothing we can do
about that one anymore, sorry.  Also, you really shouldn't be using that
branch for anything at this point in time either.

Always check the front page of kernel.org if you are wondering about the
status of any stable tree.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-07-27  5:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-26 13:48 [PATCH] arm64: v6.8: cmdline param >= 146 chars kills kernel Tj
2024-07-27  5:10 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox