| Message ID | 20230516123719.117137-1-xiafukun@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp420724vqo;
Tue, 16 May 2023 06:19:50 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ63de2KQgDSIgmuUZ+8uKFYqFFaT+SMxsSbPvhndwYkO/TmF1q1g9kTCjgY7b1GNeFC+o4u
X-Received: by 2002:a17:902:70c9:b0:1ad:d1ab:9cc9 with SMTP id
l9-20020a17090270c900b001add1ab9cc9mr15947784plt.12.1684243189697;
Tue, 16 May 2023 06:19:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684243189; cv=none;
d=google.com; s=arc-20160816;
b=bVxKh92ulcMtqJbax3AwoiiqUeeAmcfVQb2Zc5IvATS0PYP2iIYtI6rCcpU3UJsAKE
dr+0Yhqgjp89A/2L5tsLBP9tti5+LdmSbvgDaB/2TtINoKBBI9Gb8emvVwjcWkrICjeU
6abud+wVcr1MRSWMGmGTK/YN53JC9Vn76pfOTJHAQkpJ6IoV/kFIT/0lDcBKrLujhAxX
+prkdcYaVLXTyJANW0MzIJLiNMt0PGVtQ1BSEXahpW76y1rgVE4AmuirCgjcc8Ov/GJ+
6rAGq+WpguIMkbdslHwWjiPh8xmtl08EhMPGcWADLJDsI1WmxMJB9zeuE5Xwooah3LOi
BJSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
bh=M0azxmbfcleXbYgM8vghb+erKFCFBYF3GaJWndmRIsQ=;
b=fo1VAOyFPxwTObY/nwJS+Hrt6BtdNHhrYsNxKq8LbccshXNF+U0/e52THZtCGsy+sl
L6sPJ+rOETXg8WZeQt4fxjUE/CbsGrcR5Ap8sSjEkfg4ZBa/izrbSloFDYBM4Zgeo0qz
gVDlMBd+SorIa8v8HbQB9xV8SJdCSho39N2r8oR66PUYbOCvm97uPNE41lJ41JGb/SNS
jIAzjmlokcF9E9aJrYw++TUnafzEuVLr3rHkV104kq8ADWcgl+mE2EnA1tPePYpSiP7v
vhYhyuhir3D4q/FSLSH+3v/Ny9yGT4Qe+0hMg6Xo0hE4C4uMY/OF8AG8mLVzBnULVkO0
PU5Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
i2-20020a17090332c200b001a05347d092si20216443plr.642.2023.05.16.06.19.33;
Tue, 16 May 2023 06:19:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233148AbjEPMiq (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Tue, 16 May 2023 08:38:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53330 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231721AbjEPMip (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 16 May 2023 08:38:45 -0400
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C66CE170E
for <linux-kernel@vger.kernel.org>;
Tue, 16 May 2023 05:38:43 -0700 (PDT)
Received: from kwepemi500009.china.huawei.com (unknown [172.30.72.56])
by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4QLFzf4xH9z18LRM;
Tue, 16 May 2023 20:34:22 +0800 (CST)
Received: from huawei.com (10.67.175.85) by kwepemi500009.china.huawei.com
(7.221.188.199) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Tue, 16 May
2023 20:38:41 +0800
From: Xia Fukun <xiafukun@huawei.com>
To: <gregkh@linuxfoundation.org>, <prajnoha@redhat.com>
CC: <linux-kernel@vger.kernel.org>, <xiafukun@huawei.com>
Subject: [PATCH v5] kobject: Fix global-out-of-bounds in kobject_action_type()
Date: Tue, 16 May 2023 20:37:19 +0800
Message-ID: <20230516123719.117137-1-xiafukun@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.67.175.85]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
kwepemi500009.china.huawei.com (7.221.188.199)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765684842891113403?=
X-GMAIL-MSGID: =?utf-8?q?1766056986434975943?=
|
| Series |
[v5] kobject: Fix global-out-of-bounds in kobject_action_type()
|
|
Commit Message
Xia Fukun
May 16, 2023, 12:37 p.m. UTC
The following c language code can trigger KASAN's global variable
out-of-bounds access error in kobject_action_type():
int main() {
int fd;
char *filename = "/sys/block/ram12/uevent";
char str[86] = "offline";
int len = 86;
fd = open(filename, O_WRONLY);
if (fd == -1) {
printf("open");
exit(1);
}
if (write(fd, str, len) == -1) {
printf("write");
exit(1);
}
close(fd);
return 0;
}
Function kobject_action_type() receives the input parameters buf and count,
where count is the length of the string buf.
In the use case we provided, count is 86, the count_first is 85.
Buf points to a string with a length of 86, and its first seven
characters are "offline".
In line 87 of the code, kobject_actions[action] is the string "offline"
with the length of 7,an out-of-boundary access will appear:
kobject_actions[action][85].
Use sysfs_match_string() to replace the fragile and convoluted loop.
This function is well-tested for parsing sysfs inputs. Moreover, this
modification will not cause any functional changes.
Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents")
Signed-off-by: Xia Fukun <xiafukun@huawei.com>
---
v4 -> v5:
- Fixed build errors and warnings, and retested the patch.
v3 -> v4:
- Refactor the function to be more obviously correct and readable.
---
lib/kobject_uevent.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
Comments
On 5/16/23 14:37, Xia Fukun wrote: > The following c language code can trigger KASAN's global variable > out-of-bounds access error in kobject_action_type(): > > int main() { > int fd; > char *filename = "/sys/block/ram12/uevent"; > char str[86] = "offline"; > int len = 86; > > fd = open(filename, O_WRONLY); > if (fd == -1) { > printf("open"); > exit(1); > } > > if (write(fd, str, len) == -1) { > printf("write"); > exit(1); > } > > close(fd); > return 0; > } > > Function kobject_action_type() receives the input parameters buf and count, > where count is the length of the string buf. > > In the use case we provided, count is 86, the count_first is 85. > Buf points to a string with a length of 86, and its first seven > characters are "offline". > In line 87 of the code, kobject_actions[action] is the string "offline" > with the length of 7,an out-of-boundary access will appear: > > kobject_actions[action][85]. > > Use sysfs_match_string() to replace the fragile and convoluted loop. > This function is well-tested for parsing sysfs inputs. Moreover, this > modification will not cause any functional changes. > > Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") > Signed-off-by: Xia Fukun <xiafukun@huawei.com> > --- > v4 -> v5: > - Fixed build errors and warnings, and retested the patch. > Please, also check this is still working: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-uevent When I try passing the example line "add fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc", it doesn't recognize such input anymore and it incorrectly considers it as erroneous.
在 2023/5/16 22:02, Peter Rajnoha wrote: > On 5/16/23 14:37, Xia Fukun wrote: >> --- >> v4 -> v5: >> - Fixed build errors and warnings, and retested the patch. >> > > Please, also check this is still working: > https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-uevent > > When I try passing the example line "add > fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc", it doesn't recognize > such input anymore and it incorrectly considers it as erroneous. > Why did I receive the following error message when passing the example line "add fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc" using the original mainline code? synth uevent: /devices/virtual/block/ram12: incorrect uevent action arguments block ram12: uevent: failed to send synthetic uevent: -22 Is there a problem with my test case, or is the original code unable to successfully parse the sample?
On 5/17/23 10:54, Xia Fukun wrote: > 在 2023/5/16 22:02, Peter Rajnoha wrote: >> On 5/16/23 14:37, Xia Fukun wrote: > >>> --- >>> v4 -> v5: >>> - Fixed build errors and warnings, and retested the patch. >>> >> >> Please, also check this is still working: >> https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-uevent >> >> When I try passing the example line "add >> fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc", it doesn't recognize >> such input anymore and it incorrectly considers it as erroneous. >> > > Why did I receive the following error message when passing the example > line "add fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc" using the > original mainline code? > > synth uevent: /devices/virtual/block/ram12: incorrect uevent action arguments > block ram12: uevent: failed to send synthetic uevent: -22 > > Is there a problem with my test case, or is the original code unable > to successfully parse the sample? > That works for me, I'm testing on kernel 6.2.15: # echo "add fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc" > /sys/block/ram0/uevent # udevadm monitor --kernel --env monitor will print the received events for: KERNEL - the kernel uevent KERNEL[189.376386] add /devices/virtual/block/ram0 (block) ACTION=add DEVPATH=/devices/virtual/block/ram0 SUBSYSTEM=block SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed SYNTH_ARG_A=1 SYNTH_ARG_B=abc DEVNAME=/dev/ram0 DEVTYPE=disk DISKSEQ=14 SEQNUM=3781 MAJOR=1 MINOR=0
diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 7c44b7ae4c5c..1ec20a7d3d45 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -64,9 +64,8 @@ static int kobject_action_type(const char *buf, size_t count, const char **args) { enum kobject_action action; - size_t count_first; const char *args_start; - int ret = -EINVAL; + int i, ret = -EINVAL; if (count && (buf[count-1] == '\n' || buf[count-1] == '\0')) count--; @@ -75,23 +74,22 @@ static int kobject_action_type(const char *buf, size_t count, goto out; args_start = strnchr(buf, count, ' '); - if (args_start) { - count_first = args_start - buf; + if (args_start) args_start = args_start + 1; - } else - count_first = count; - for (action = 0; action < ARRAY_SIZE(kobject_actions); action++) { - if (strncmp(kobject_actions[action], buf, count_first) != 0) - continue; - if (kobject_actions[action][count_first] != '\0') - continue; - if (args) - *args = args_start; - *type = action; - ret = 0; - break; - } + /* Use sysfs_match_string() to replace the fragile and convoluted loop */ + i = sysfs_match_string(kobject_actions, buf); + + if (i < 0) + return ret; + + action = i; + + if (args) + *args = args_start; + + *type = action; + ret = 0; out: return ret; }