| Message ID | 20230308035930.54107-1-xiafukun@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp128785wrd;
Tue, 7 Mar 2023 20:21:38 -0800 (PST)
X-Google-Smtp-Source:
AK7set/aJC7Vd/AG9Zrsb9p+LLEAeCLJchYZaHOx7cDF/snNHWHUy++pvsjIx5Fg7PIJCJ8iKpzn
X-Received: by 2002:a17:906:1e47:b0:8ae:a761:e361 with SMTP id
i7-20020a1709061e4700b008aea761e361mr16061650ejj.41.1678249298434;
Tue, 07 Mar 2023 20:21:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678249298; cv=none;
d=google.com; s=arc-20160816;
b=QW/kkxNc6dhSqIkHquuloVeeRMoMeauxn/1qXEPllunkf53sk7khfQQwZ7ePEe9ONL
vyjbh8L4mNOWQDsnV6kVcgmF8gGjNsJQiH3Dj4hzvzaiEZ85sTo3HV/dZX1yAgvtNycn
68uo6Q6qBccqB/tuYHneXMv/oIVo7QoU4RgdnR9/iYu28chCaJlI3grP7SD+gXGLF9/K
INGJmMV8dXu3ARk58JX1ScAdbHH4f9TYQILGVgw8eD34aunxv+UCrJoRJOBySVn7Rz8a
/PNj6Jnn5yewd1zzG8zff2o0v6D9jW2Jv6ii3yZge5IeUwZmz8cOc3jTwZOV9iYDj/C0
JziQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
bh=CW1XfJzetdAwG9UQUILBBglDTQUgziDeX9cl0yBoPJw=;
b=Y0ZLuZfa4PGbFUamclUucxGAj+B+F4Ne951EVugcdvc8zbdq6EH5VwwYS1et2fyaiN
goFa80LhXLHqZKDWAZX1bsJmdrXM3uqVkDDy4obT6VmpndiHgEz5CRuxX99yCxRtkQvr
80Q81t6XR/KAZCz4TppkZY2uPUgr5SvTbSKZ+Qp5BNeUDf2zRp1GItLwXfBbyeEz0muy
JEQLWknJpFxOEJzj8fzs/uy8gEcID6pRVP84AVM1Y/ja8K+2AWYWPxWlI3CBIpsZfOzo
O5TIAPxpuVrQIHFAjxg58wtUgBMzRkRyhY/+V31/J6JvpCAMSe8dai8EdoN1HkrK7S02
ljjg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
gf25-20020a170906e21900b008e81d6bfef8si13985026ejb.862.2023.03.07.20.21.15;
Tue, 07 Mar 2023 20:21:38 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229932AbjCHEBj (ORCPT <rfc822;toshivichauhan@gmail.com>
+ 99 others); Tue, 7 Mar 2023 23:01:39 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39398 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229917AbjCHEBg (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 7 Mar 2023 23:01:36 -0500
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2ECD29E064
for <linux-kernel@vger.kernel.org>;
Tue, 7 Mar 2023 20:01:34 -0800 (PST)
Received: from kwepemi500009.china.huawei.com (unknown [172.30.72.54])
by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4PWdpX0sntz16PJc;
Wed, 8 Mar 2023 11:58:44 +0800 (CST)
Received: from huawei.com (10.67.175.85) by kwepemi500009.china.huawei.com
(7.221.188.199) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Wed, 8 Mar
2023 12:01:31 +0800
From: Xia Fukun <xiafukun@huawei.com>
To: <gregkh@linuxfoundation.org>, <prajnoha@redhat.com>
CC: <linux-kernel@vger.kernel.org>, <xiafukun@huawei.com>
Subject: [PATCH v2] kobject: Fix global-out-of-bounds in kobject_action_type()
Date: Wed, 8 Mar 2023 11:59:30 +0800
Message-ID: <20230308035930.54107-1-xiafukun@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.67.175.85]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
kwepemi500009.china.huawei.com (7.221.188.199)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759771936200462757?=
X-GMAIL-MSGID: =?utf-8?q?1759771936200462757?=
|
| Series |
[v2] kobject: Fix global-out-of-bounds in kobject_action_type()
|
|
Commit Message
Xia Fukun
March 8, 2023, 3:59 a.m. UTC
The following c language code can trigger KASAN's global variable
out-of-bounds access error in kobject_action_type():
int main() {
int fd;
char *filename = "/sys/block/ram12/uevent";
char str[86] = "offline";
int len = 86;
fd = open(filename, O_WRONLY);
if (fd == -1) {
printf("open");
exit(1);
}
if (write(fd, str, len) == -1) {
printf("write");
exit(1);
}
close(fd);
return 0;
}
Function kobject_action_type() receives the input parameters buf and count,
where count is the length of the string buf.
In the use case we provided, count is 86, the count_first is 85.
Buf points to a string with a length of 86, and its first seven
characters are "offline".
In line 87 of the code, kobject_actions[action] is the string "offline"
with the length of 7,an out-of-boundary access will appear:
kobject_actions[action][85].
Modify the judgment logic in line 87. If the length of the string
kobject_actions[action] is greater than count_first(e.g. buf is "off",
count is 3), continue the loop.
Otherwise, the match is considered successful.
This change means that our test case will be successfully parsed as an
offline event and no out-of-bounds access error will occur.
Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents")
Signed-off-by: Xia Fukun <xiafukun@huawei.com>
---
v1 -> v2:
- modify the matching logic
lib/kobject_uevent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Mar 08, 2023 at 11:59:30AM +0800, Xia Fukun wrote: > The following c language code can trigger KASAN's global variable > out-of-bounds access error in kobject_action_type(): > > int main() { > int fd; > char *filename = "/sys/block/ram12/uevent"; > char str[86] = "offline"; > int len = 86; > > fd = open(filename, O_WRONLY); > if (fd == -1) { > printf("open"); > exit(1); > } > > if (write(fd, str, len) == -1) { > printf("write"); > exit(1); > } > > close(fd); > return 0; > } > > Function kobject_action_type() receives the input parameters buf and count, > where count is the length of the string buf. > > In the use case we provided, count is 86, the count_first is 85. > Buf points to a string with a length of 86, and its first seven > characters are "offline". > In line 87 of the code, kobject_actions[action] is the string "offline" > with the length of 7,an out-of-boundary access will appear: > > kobject_actions[action][85]. > > Modify the judgment logic in line 87. If the length of the string > kobject_actions[action] is greater than count_first(e.g. buf is "off", > count is 3), continue the loop. > Otherwise, the match is considered successful. > > This change means that our test case will be successfully parsed as an > offline event and no out-of-bounds access error will occur. > > Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") > Signed-off-by: Xia Fukun <xiafukun@huawei.com> > --- > v1 -> v2: > - modify the matching logic I see 2 v2 patches in my queue, with no way to tell which one is correct. Please fix up and send a v3. thanks, greg k-h
diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 7c44b7ae4c5c..474f996895c7 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -84,7 +84,7 @@ static int kobject_action_type(const char *buf, size_t count, for (action = 0; action < ARRAY_SIZE(kobject_actions); action++) { if (strncmp(kobject_actions[action], buf, count_first) != 0) continue; - if (kobject_actions[action][count_first] != '\0') + if (strlen(kobject_actions[action]) > count_first) continue; if (args) *args = args_start;