| Message ID | 20230418065308.452462-1-d.dulov@aladdin.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2637248vqo;
Tue, 18 Apr 2023 00:10:04 -0700 (PDT)
X-Google-Smtp-Source:
AKy350YvivehEbh32AED8/MQk60+sO5wlr8IRjoRi6WX1k9jjSgOmCJ9KlBZG6Bsiw+Abwjm3dDH
X-Received: by 2002:a17:90a:e398:b0:247:abb6:1528 with SMTP id
b24-20020a17090ae39800b00247abb61528mr1174904pjz.2.1681801804533;
Tue, 18 Apr 2023 00:10:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681801804; cv=none;
d=google.com; s=arc-20160816;
b=HRCSm/6mU+jXts9CSm0JfJy8ZfrcODxsqFuNGuKX5hGnBjqXnLMPU2M2ktnkZB608x
bRM3MqKXzPrnRtXL2M8bo2F+Bw5MGVGK068iLrezr6TN/1xdN6eZ7ua/KYVrbw3OzCFX
X8r7sQ+hZIzWAN8eZCiPsLrhTzmHBlGC6E7Si1jY7SLKqZ8/UHa5i5Kn11bcmealtdq2
KXs+ZpuZ+0OlZ3Nk0VnEo+mwERwZWVFrhAJr6lT/qU/H92l9J/TCZOb1qvHs4vJ/eQzl
0Hc3M2gQqa35C2rCesMoWhJdXCwGQd93h5bTSAi0LRN/zZyiFznMzwiAYMXMMmiA/Rdj
ZQcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=wnb4SvcChbc0Njx/lCxBk1KI+fDz0Lj42VTjnWrrFWk=;
b=liex6oW+U86sHpYE0IeZ07qK27tdNHFq02LFn42SfGJDcIz/rAviP0/6odQzQ75z3N
/LmWiKNmbBGPqvJ+lhm1CD5Ddq/xMJkVZKuQSZBwuTZJzaTztTMhsQ43pes/wgnSNUqe
HkTMxu6P6NqDqOEafA7u/GAqbr8gir+H8AKEqG2qtnrsj3PYMHzgXGd5AEwPVIX74P8r
LbbXFOHB6y+Afs61sBjmu4RQP29eRBw0b+JMhp0HiwmgDlk2H3iP7cTCzazrmLRw3Lve
Gu91MSOCfOLnsIs7yMrYWGoiI/Rrf/GQUBBMohau9Yue1PCjauwi+vKl18F6KaLzBPDN
z/YQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
pg11-20020a17090b1e0b00b002478f3a1cbcsi5032162pjb.135.2023.04.18.00.09.51;
Tue, 18 Apr 2023 00:10:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230443AbjDRGxj (ORCPT <rfc822;leviz.kernel.dev@gmail.com>
+ 99 others); Tue, 18 Apr 2023 02:53:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47378 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230371AbjDRGxf (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 18 Apr 2023 02:53:35 -0400
Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2104EC4
for <linux-kernel@vger.kernel.org>;
Mon, 17 Apr 2023 23:53:31 -0700 (PDT)
From: Daniil Dulov <d.dulov@aladdin.ru>
To: Thomas Gleixner <tglx@linutronix.de>
CC: Daniil Dulov <d.dulov@aladdin.ru>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>, <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>, Baoquan He <bhe@redhat.com>,
Kees Cook <keescook@chromium.org>,
<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH] x86/kaslr: Fix potential dereference of NULL pointer.
Date: Mon, 17 Apr 2023 23:53:08 -0700
Message-ID: <20230418065308.452462-1-d.dulov@aladdin.ru>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.0.20.32]
X-ClientProxiedBy: EXCH-2016-02.aladdin.ru (192.168.1.102) To
EXCH-2016-01.aladdin.ru (192.168.1.101)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763497008879464020?=
X-GMAIL-MSGID: =?utf-8?q?1763497008879464020?=
|
| Series |
x86/kaslr: Fix potential dereference of NULL pointer.
|
|
Commit Message
Daniil Dulov
April 18, 2023, 6:53 a.m. UTC
Pointer val can have NULL value. Then its value is assigned to the pointer p.
p is dereferenced by calling strcmp().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 4cdba14f84c9 ("x86/KASLR: Handle the memory limit specified by the 'memmap=' and 'mem=' boot options")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
arch/x86/boot/compressed/kaslr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 04/17/23 at 11:53pm, Daniil Dulov wrote: > Pointer val can have NULL value. Then its value is assigned to the pointer p. > p is dereferenced by calling strcmp(). > > Found by Linux Verification Center (linuxtesting.org) with SVACE. It's true for strcmp from lib/string.c, while may not be so true for strcmp in arch/x86/boot/string.c which I copy at below for reference. Here, boot/compressed/kaslr.c is using the strcmp in arch/x86/boot/string.c. So leaving it as is or fixing it, either looks good to me, I even prefer the former. int strcmp(const char *str1, const char *str2) { const unsigned char *s1 = (const unsigned char *)str1; const unsigned char *s2 = (const unsigned char *)str2; int delta = 0; while (*s1 || *s2) { delta = *s1 - *s2; if (delta) return delta; s1++; s2++; } return 0; } > > Fixes: 4cdba14f84c9 ("x86/KASLR: Handle the memory limit specified by the 'memmap=' and 'mem=' boot options") > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > --- > arch/x86/boot/compressed/kaslr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c > index b92fffbe761f..51b3925d4d2d 100644 > --- a/arch/x86/boot/compressed/kaslr.c > +++ b/arch/x86/boot/compressed/kaslr.c > @@ -291,7 +291,7 @@ static void handle_mem_options(void) > } else if (!strcmp(param, "mem")) { > char *p = val; > > - if (!strcmp(p, "nopentium")) > + if (!p || !strcmp(p, "nopentium")) > continue; > mem_size = memparse(p, &p); > if (mem_size == 0) > -- > 2.25.1 >
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c index b92fffbe761f..51b3925d4d2d 100644 --- a/arch/x86/boot/compressed/kaslr.c +++ b/arch/x86/boot/compressed/kaslr.c @@ -291,7 +291,7 @@ static void handle_mem_options(void) } else if (!strcmp(param, "mem")) { char *p = val; - if (!strcmp(p, "nopentium")) + if (!p || !strcmp(p, "nopentium")) continue; mem_size = memparse(p, &p); if (mem_size == 0)