| From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001 |
| From: Macpaul Lin <macpaul@gmail.com> |
| Date: Wed, 17 Oct 2018 23:08:38 +0800 |
| Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() |
| |
| From: Macpaul Lin <macpaul@gmail.com> |
| |
| commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream. |
| |
| This patch is trying to fix KE issue due to |
| "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198" |
| reported by Syzkaller scan." |
| |
| [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198 |
| [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364 |
| [26364:syz-executor0][name:report&] |
| [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0 |
| [26364:syz-executor0]Call trace: |
| [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470 |
| [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30 |
| [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128 |
| [26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8 |
| [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390 |
| [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20 |
| [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198 |
| [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270 |
| [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90 |
| [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158 |
| [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8 |
| [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0 |
| [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0 |
| [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8 |
| [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208 |
| [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28 |
| [26364:syz-executor0][name:report&] |
| [26364:syz-executor0][name:report&]The buggy address belongs to the variable: |
| [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40 |
| [26364:syz-executor0][name:report&] |
| [26364:syz-executor0][name:report&]Memory state around the buggy address: |
| [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa |
| [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa |
| [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 |
| [26364:syz-executor0][name:report&] ^ |
| [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa |
| [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa |
| [26364:syz-executor0][name:report&] |
| [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint |
| [26364:syz-executor0]------------[cut here]------------ |
| |
| After checking the source code, we've found there might be an out-of-bounds |
| access to "config[len - 1]" array when the variable "len" is zero. |
| |
| Signed-off-by: Macpaul Lin <macpaul@gmail.com> |
| Acked-by: Daniel Thompson <daniel.thompson@linaro.org> |
| Cc: stable <stable@vger.kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/tty/serial/kgdboc.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/tty/serial/kgdboc.c |
| +++ b/drivers/tty/serial/kgdboc.c |
| @@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr) |
| |
| static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp) |
| { |
| - int len = strlen(kmessage); |
| + size_t len = strlen(kmessage); |
| |
| if (len >= MAX_CONFIG_LEN) { |
| printk(KERN_ERR "kgdboc: config string too long\n"); |
| @@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch |
| |
| strcpy(config, kmessage); |
| /* Chop out \n char as a result of echo */ |
| - if (config[len - 1] == '\n') |
| + if (len && config[len - 1] == '\n') |
| config[len - 1] = '\0'; |
| |
| if (configured == 1) |