release/5.2.22/s390-cio-avoid-calling-strlen-on-null-pointer.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 6caeec759425c4cd53a9d54a55face09036bce16 Mon Sep 17 00:00:00 2001
 From: Vasily Gorbik <gor@linux.ibm.com>
 Date: Tue, 17 Sep 2019 20:04:04 +0200
 Subject: [PATCH] s390/cio: avoid calling strlen on null pointer

 commit ea298e6ee8b34b3ed4366be7eb799d0650ebe555 upstream.

 Fix the following kasan finding:
 BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140
 Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561

 CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G    B
 Hardware name: IBM 3906 M04 704 (LPAR)
 Call Trace:
 ([<0000000231b3db7e>] show_stack+0x14e/0x1a8)
  [<0000000233826410>] dump_stack+0x1d0/0x218
  [<000000023216fac4>] print_address_description+0x64/0x380
  [<000000023216f5a8>] __kasan_report+0x138/0x168
  [<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140
  [<00000002332b618a>] group_store+0x3a/0x50
  [<00000002323ac706>] kernfs_fop_write+0x246/0x3b8
  [<00000002321d409a>] vfs_write+0x132/0x450
  [<00000002321d47da>] ksys_write+0x122/0x208
  [<0000000233877102>] system_call+0x2a6/0x2c8

 Triggered by:
 openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group",
 		O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 16
 write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26

 The problem is that __get_next_id in ccwgroup_create_dev might set "buf"
 buffer pointer to NULL and explicit check for that is required.

 Cc: stable@vger.kernel.org
 Reviewed-by: Sebastian Ott <sebott@linux.ibm.com>
 Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/s390/cio/ccwgroup.c b/drivers/s390/cio/ccwgroup.c
 index 4ebf6d4fc66c..c2e04d7e05eb 100644
 --- a/drivers/s390/cio/ccwgroup.c
 +++ b/drivers/s390/cio/ccwgroup.c
 @@ -372,7 +372,7 @@ int ccwgroup_create_dev(struct device *parent, struct ccwgroup_driver *gdrv,
  		goto error;
  	}
  	/* Check for trailing stuff. */
 -	if (i == num_devices && strlen(buf) > 0) {
 +	if (i == num_devices && buf && strlen(buf) > 0) {
  		rc = -EINVAL;
  		goto error;
  	}
 --
 2.7.4
	From 6caeec759425c4cd53a9d54a55face09036bce16 Mon Sep 17 00:00:00 2001
	From: Vasily Gorbik <gor@linux.ibm.com>
	Date: Tue, 17 Sep 2019 20:04:04 +0200
	Subject: [PATCH] s390/cio: avoid calling strlen on null pointer

	commit ea298e6ee8b34b3ed4366be7eb799d0650ebe555 upstream.

	Fix the following kasan finding:
	BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140
	Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561

	CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G B
	Hardware name: IBM 3906 M04 704 (LPAR)
	Call Trace:
	([<0000000231b3db7e>] show_stack+0x14e/0x1a8)
	[<0000000233826410>] dump_stack+0x1d0/0x218
	[<000000023216fac4>] print_address_description+0x64/0x380
	[<000000023216f5a8>] __kasan_report+0x138/0x168
	[<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140
	[<00000002332b618a>] group_store+0x3a/0x50
	[<00000002323ac706>] kernfs_fop_write+0x246/0x3b8
	[<00000002321d409a>] vfs_write+0x132/0x450
	[<00000002321d47da>] ksys_write+0x122/0x208
	[<0000000233877102>] system_call+0x2a6/0x2c8

	Triggered by:
	openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group",
	O_WRONLY\|O_CREAT\|O_TRUNC\|O_CLOEXEC, 0666) = 16
	write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26

	The problem is that __get_next_id in ccwgroup_create_dev might set "buf"
	buffer pointer to NULL and explicit check for that is required.

	Cc: stable@vger.kernel.org
	Reviewed-by: Sebastian Ott <sebott@linux.ibm.com>
	Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/s390/cio/ccwgroup.c b/drivers/s390/cio/ccwgroup.c
	index 4ebf6d4fc66c..c2e04d7e05eb 100644
	--- a/drivers/s390/cio/ccwgroup.c
	+++ b/drivers/s390/cio/ccwgroup.c
	@@ -372,7 +372,7 @@ int ccwgroup_create_dev(struct device parent, struct ccwgroup_driver gdrv,
	goto error;
	}
	/* Check for trailing stuff. */
	- if (i == num_devices && strlen(buf) > 0) {
	+ if (i == num_devices && buf && strlen(buf) > 0) {
	rc = -EINVAL;
	goto error;
	}
	--
	2.7.4