Message ID | 20230418065308.452462-1-d.dulov@aladdin.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2637248vqo; Tue, 18 Apr 2023 00:10:04 -0700 (PDT) X-Google-Smtp-Source: AKy350YvivehEbh32AED8/MQk60+sO5wlr8IRjoRi6WX1k9jjSgOmCJ9KlBZG6Bsiw+Abwjm3dDH X-Received: by 2002:a17:90a:e398:b0:247:abb6:1528 with SMTP id b24-20020a17090ae39800b00247abb61528mr1174904pjz.2.1681801804533; Tue, 18 Apr 2023 00:10:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681801804; cv=none; d=google.com; s=arc-20160816; b=HRCSm/6mU+jXts9CSm0JfJy8ZfrcODxsqFuNGuKX5hGnBjqXnLMPU2M2ktnkZB608x bRM3MqKXzPrnRtXL2M8bo2F+Bw5MGVGK068iLrezr6TN/1xdN6eZ7ua/KYVrbw3OzCFX X8r7sQ+hZIzWAN8eZCiPsLrhTzmHBlGC6E7Si1jY7SLKqZ8/UHa5i5Kn11bcmealtdq2 KXs+ZpuZ+0OlZ3Nk0VnEo+mwERwZWVFrhAJr6lT/qU/H92l9J/TCZOb1qvHs4vJ/eQzl 0Hc3M2gQqa35C2rCesMoWhJdXCwGQd93h5bTSAi0LRN/zZyiFznMzwiAYMXMMmiA/Rdj ZQcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=wnb4SvcChbc0Njx/lCxBk1KI+fDz0Lj42VTjnWrrFWk=; b=liex6oW+U86sHpYE0IeZ07qK27tdNHFq02LFn42SfGJDcIz/rAviP0/6odQzQ75z3N /LmWiKNmbBGPqvJ+lhm1CD5Ddq/xMJkVZKuQSZBwuTZJzaTztTMhsQ43pes/wgnSNUqe HkTMxu6P6NqDqOEafA7u/GAqbr8gir+H8AKEqG2qtnrsj3PYMHzgXGd5AEwPVIX74P8r LbbXFOHB6y+Afs61sBjmu4RQP29eRBw0b+JMhp0HiwmgDlk2H3iP7cTCzazrmLRw3Lve Gu91MSOCfOLnsIs7yMrYWGoiI/Rrf/GQUBBMohau9Yue1PCjauwi+vKl18F6KaLzBPDN z/YQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pg11-20020a17090b1e0b00b002478f3a1cbcsi5032162pjb.135.2023.04.18.00.09.51; Tue, 18 Apr 2023 00:10:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230443AbjDRGxj (ORCPT <rfc822;leviz.kernel.dev@gmail.com> + 99 others); Tue, 18 Apr 2023 02:53:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230371AbjDRGxf (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 18 Apr 2023 02:53:35 -0400 Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2104EC4 for <linux-kernel@vger.kernel.org>; Mon, 17 Apr 2023 23:53:31 -0700 (PDT) From: Daniil Dulov <d.dulov@aladdin.ru> To: Thomas Gleixner <tglx@linutronix.de> CC: Daniil Dulov <d.dulov@aladdin.ru>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, Baoquan He <bhe@redhat.com>, Kees Cook <keescook@chromium.org>, <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org> Subject: [PATCH] x86/kaslr: Fix potential dereference of NULL pointer. Date: Mon, 17 Apr 2023 23:53:08 -0700 Message-ID: <20230418065308.452462-1-d.dulov@aladdin.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.0.20.32] X-ClientProxiedBy: EXCH-2016-02.aladdin.ru (192.168.1.102) To EXCH-2016-01.aladdin.ru (192.168.1.101) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1763497008879464020?= X-GMAIL-MSGID: =?utf-8?q?1763497008879464020?= |
Series |
x86/kaslr: Fix potential dereference of NULL pointer.
|
|
Commit Message
Daniil Dulov
April 18, 2023, 6:53 a.m. UTC
Pointer val can have NULL value. Then its value is assigned to the pointer p.
p is dereferenced by calling strcmp().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 4cdba14f84c9 ("x86/KASLR: Handle the memory limit specified by the 'memmap=' and 'mem=' boot options")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
arch/x86/boot/compressed/kaslr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 04/17/23 at 11:53pm, Daniil Dulov wrote: > Pointer val can have NULL value. Then its value is assigned to the pointer p. > p is dereferenced by calling strcmp(). > > Found by Linux Verification Center (linuxtesting.org) with SVACE. It's true for strcmp from lib/string.c, while may not be so true for strcmp in arch/x86/boot/string.c which I copy at below for reference. Here, boot/compressed/kaslr.c is using the strcmp in arch/x86/boot/string.c. So leaving it as is or fixing it, either looks good to me, I even prefer the former. int strcmp(const char *str1, const char *str2) { const unsigned char *s1 = (const unsigned char *)str1; const unsigned char *s2 = (const unsigned char *)str2; int delta = 0; while (*s1 || *s2) { delta = *s1 - *s2; if (delta) return delta; s1++; s2++; } return 0; } > > Fixes: 4cdba14f84c9 ("x86/KASLR: Handle the memory limit specified by the 'memmap=' and 'mem=' boot options") > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > --- > arch/x86/boot/compressed/kaslr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c > index b92fffbe761f..51b3925d4d2d 100644 > --- a/arch/x86/boot/compressed/kaslr.c > +++ b/arch/x86/boot/compressed/kaslr.c > @@ -291,7 +291,7 @@ static void handle_mem_options(void) > } else if (!strcmp(param, "mem")) { > char *p = val; > > - if (!strcmp(p, "nopentium")) > + if (!p || !strcmp(p, "nopentium")) > continue; > mem_size = memparse(p, &p); > if (mem_size == 0) > -- > 2.25.1 >
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c index b92fffbe761f..51b3925d4d2d 100644 --- a/arch/x86/boot/compressed/kaslr.c +++ b/arch/x86/boot/compressed/kaslr.c @@ -291,7 +291,7 @@ static void handle_mem_options(void) } else if (!strcmp(param, "mem")) { char *p = val; - if (!strcmp(p, "nopentium")) + if (!p || !strcmp(p, "nopentium")) continue; mem_size = memparse(p, &p); if (mem_size == 0)