From: quic_zijuhu <quic_zijuhu@quicinc.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: <rafael@kernel.org>, <akpm@linux-foundation.org>,
<dmitry.torokhov@gmail.com>, <linux-kernel@vger.kernel.org>,
<stable@vger.kernel.org>
Subject: Re: [PATCH] kobject_uevent: Fix OOB access within zap_modalias_env()
Date: Fri, 24 May 2024 22:46:53 +0800 [thread overview]
Message-ID: <ced59dca-70cd-4680-b7d5-e0983aa9be74@quicinc.com> (raw)
In-Reply-To: <2024052405-award-recycling-6931@gregkh>
On 5/24/2024 7:47 PM, Greg KH wrote:
> On Fri, May 24, 2024 at 05:08:06PM +0800, quic_zijuhu wrote:
>> On 5/24/2024 2:56 PM, Greg KH wrote:
>>> On Fri, May 24, 2024 at 01:34:49PM +0800, quic_zijuhu wrote:
>>>> On 5/24/2024 1:21 PM, Greg KH wrote:
>>>>> On Fri, May 24, 2024 at 01:15:01PM +0800, quic_zijuhu wrote:
>>>>>> On 5/24/2024 12:33 PM, Greg KH wrote:
>>>>>>> On Fri, May 24, 2024 at 12:20:03PM +0800, Zijun Hu wrote:
>>>>>>>> zap_modalias_env() wrongly calculates size of memory block
>>>>>>>> to move, so maybe cause OOB memory access issue, fixed by
>>>>>>>> correcting size to memmove.
>>>>>>>
>>>>>>> "maybe" or "does"? That's a big difference :)
>>>>>>>
>>>>>> i found this issue by reading code instead of really meeting this issue.
>>>>>> this issue should be prone to happen if there are more than 1 other
>>>>>> environment vars.
>>>>>
>>>>> But does it? Given that we have loads of memory checkers, and I haven't
>>>>> ever seen any report of any overrun, it would be nice to be sure.
>>>>>
>>>> yes. if @env includes env vairable MODALIAS and more than one other env
>>>> vairables. then (env->buflen - len) must be greater that actual size of
>>>> "target block" shown previously, so the OOB issue must happen.
>>>
>>> Then why are none of the tools that we have for catching out-of-bound
>>> issues triggered here? Are the tools broken or is this really just not
>>> ever happening? It would be good to figure that out...
>>>
>> don't know why. perhaps, need to report our case to expert of tools.
>
> Try running them yourself and see!
i find out the reason why the OOB issue is difficult to be observed.
the reason is that MODALIAS is the last variable added by most of
drivers by accident, and it skips the obvious wrong logic within
zap_modalias_env().
you maybe run below command to confirm the reason.
grep -l -r MODALIAS drivers/ | xargs grep add_uevent_var
next prev parent reply other threads:[~2024-05-24 14:47 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 4:20 [PATCH] kobject_uevent: Fix OOB access within zap_modalias_env() Zijun Hu
2024-05-24 4:33 ` Greg KH
2024-05-24 5:15 ` quic_zijuhu
2024-05-24 5:21 ` Greg KH
2024-05-24 5:34 ` quic_zijuhu
2024-05-24 6:56 ` Greg KH
2024-05-24 9:08 ` quic_zijuhu
2024-05-24 11:47 ` Greg KH
2024-05-24 14:46 ` quic_zijuhu [this message]
2024-06-30 15:08 ` Zhou congjie
2024-07-04 14:01 ` quic_zijuhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ced59dca-70cd-4680-b7d5-e0983aa9be74@quicinc.com \
--to=quic_zijuhu@quicinc.com \
--cc=akpm@linux-foundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox