From patchwork Tue Nov 21 11:02:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Granados via B4 Relay X-Patchwork-Id: 167654 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp538347vqb; Tue, 21 Nov 2023 03:03:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IHxCPRMDIydGVgX/nraHaf+8qM0b9YLAuyWGBe5bRMg1fVGan2/GxbQHZRcfzxFrjlTi/ZY X-Received: by 2002:a05:6808:f8f:b0:3b6:21cc:742b with SMTP id o15-20020a0568080f8f00b003b621cc742bmr13497162oiw.30.1700564587882; Tue, 21 Nov 2023 03:03:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700564587; cv=none; d=google.com; s=arc-20160816; b=j8aYIPQo9/UdivKDp4/t5xfXe0Ei709S9JSI17CaE98yMLeK+NyR+/MBRvryAgBuk7 buEzf9w7ChGZdX0IEabR0Al16+2ZpxlgafNPp8qkPguhIqZfLm0dmprqkEap966/GS0d 6pnZirr0vAcdtXuhan3t68RWpfc4PP/xB11jUUmb2aPqKGvzyoi7s6kQOCq7zLscu1xt vVCWdQWA5uIuUjxD3q6m0WN80A6dI14Cxk3lLfxvH+yZINSgRbdm7A9E0/ecN9wcsm3m tPTG6fOyEdCpgU7E2yzT455sYkC/EUzHEehDLu+giPuRO1xW7d1VP8DqNYbl+HTrgHjP QiVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:reply-to:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=gW8LsgsbJSdnLr5EM3tY83Xms16e4ET+etYPIjcO3kU=; fh=r13DB9PMClsgJxps2czswS9cgGPxXX72DhpHy57uwCk=; b=iJZv96SqV9+j/0vpmGs816uljWuI/mZRB2YPdkmeLugOZm0dpFb6eWF0RUCcGYAmq3 7PIBJ/YC5/aZnhaaIZ0j5KjORfqup+9wArkIQE6Zg1V4c7fsCdh/EtXrdzfnueHF4yVU Quq9heMKp1vWL1H/M+GhcEqVDfCspU4jZJ9IWKw+3HW0ZmkeKN3XzbK8wo1Y2ERsyTQY sU4GpdWGvU5gQBPTP6DHXmzpEqNlQyDMEUPUdRGGf12E9Y9Q6+jEm5VidmP+hBUpm+Xg XVnT+5YKqpSX0OVpAsUk69IB77oyJGUFhMx2X0ZDXAHIL4nHXxFO6/RZId0N0rhDKasC IjYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QLgMT8nB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id by39-20020a056a0205a700b005bd2713d3a1si11493096pgb.650.2023.11.21.03.03.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 03:03:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QLgMT8nB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 16C978030E44; Tue, 21 Nov 2023 03:02:57 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233944AbjKULCw (ORCPT + 99 others); Tue, 21 Nov 2023 06:02:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231657AbjKULCd (ORCPT ); Tue, 21 Nov 2023 06:02:33 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13E3A11A for ; Tue, 21 Nov 2023 03:02:30 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPS id AFC37C433C9; Tue, 21 Nov 2023 11:02:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1700564549; bh=mLo7DVRk6BC2SJHa6E2iWbSrid7500eOVL41NJVj/3c=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=QLgMT8nB2Jww97e94Mvrs70nJNdtyxszgJ2v6Y0Ls0lbVk8VznTguxd7nwwuurZaF ZVSp1EFauFXUOX4/XtYwYxPOqb/DFuG1ugoxsFQIiwERDUH2nyF3VvczWgkuRgU/wy BRTCC+Lab6Makyj31Hd6+J/bmmJJQ1CDMPNZgmHDuGYVAl8wtzvckB1FGh5zcY9wVa A0W/kJZkFvXb82hT01s7Fb4fJkm2TlTxSdiX5h2ub7aioWpgs01Ar3Yn5CE/i0C2hl orkN0+/CdZtfpYReA6fNQXCZv1c4EuxGJb0iH6X0b+ugsz6J5S8lEKvDHtfAnjCXx4 7L/dOb96MbMEw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9601FC61D92; Tue, 21 Nov 2023 11:02:29 +0000 (UTC) From: Joel Granados via B4 Relay Date: Tue, 21 Nov 2023 12:02:18 +0100 Subject: [PATCH 1/3] sysctl: Fix out of bounds access for empty sysctl registers MIME-Version: 1.0 Message-Id: <20231121-jag-fix_out_of_bounds_insert-v1-1-571e76d51316@samsung.com> References: <20231121-jag-fix_out_of_bounds_insert-v1-0-571e76d51316@samsung.com> In-Reply-To: <20231121-jag-fix_out_of_bounds_insert-v1-0-571e76d51316@samsung.com> To: Luis Chamberlain , Kees Cook , Iurii Zaikin , Shuah Khan Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Joel Granados , kernel test robot X-Mailer: b4 0.13-dev-86aa5 X-Developer-Signature: v=1; a=openpgp-sha256; l=2173; i=j.granados@samsung.com; h=from:subject:message-id; bh=cobreXk3HCy/fe/+taVz5zdST5AE6mBE5tVF2nKN+38=; b=owEB7QES/pANAwAKAbqXzVK3lkFPAcsmYgBlXI5DVBUT0AEE24uCwKvehV839kLHwKXyyRo1X n8meDbGo/eJAbMEAAEKAB0WIQSuRwlXJeYxJc7LJ5C6l81St5ZBTwUCZVyOQwAKCRC6l81St5ZB T4XhDACD0sHFiUWwSvOa9ZrJBdLqmlDgBldpLjQgNwAid0IxTK7ZhuqY2kZAFgM25UUthI0iRBO npBTvkRcg3sHn8TBXfKcDE+jQSV0LQ+yJvAMyA0dSd3s1prPiaEfm5Q4NDNI8qvEYb1XV8sbzib iA083NLadooMh58eAIIucuVqrJhdCRG3G3ytIlRPfPKsLW0QlaqvGeTAhczW+p1nvju6H5f3t8+ SqMuB1OLNRbL1f/4h9LAx5/UDWIFYWUkKOPNDpWtaGuQsTpkHiP/+4UjA/Nxth0QDwjWIwNFsDB a84glm2I6z8ST3FO2mUTSaXPuSF1DO6rragHWh0X+PqyPStu54XjV5+zebqgGDKcF34tS9c6lND owIXwGclXEKsNCWFDFAUQAGV7b6vfHr+Fn5HEAaTGl6guJjU+QPKooGQ7pX/A7lq3zeCMcUDDY4 sGNpqWTiG4YYPOkjiZ4bWgneZHeYTB2o6zuxAulDipeLQc1Y4oVk23geWgXJRDLFpxSnc= X-Developer-Key: i=j.granados@samsung.com; a=openpgp; fpr=F1F8E46D30F0F6C4A45FF4465895FAAC338C6E77 X-Endpoint-Received: by B4 Relay for j.granados@samsung.com/default with auth_id=70 X-Original-From: Joel Granados Reply-To: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 21 Nov 2023 03:02:58 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783171212935390285 X-GMAIL-MSGID: 1783171212935390285 From: Joel Granados When registering tables to the sysctl subsystem there is a check to see if header is a permanently empty directory (used for mounts). This check evaluates the first element of the ctl_table. This results in an out of bounds evaluation when registering empty directories. The function register_sysctl_mount_point now passes a ctl_table of size 1 instead of size 0. It now relies solely on the type to identify a permanently empty register. Make sure that the ctl_table has at least one element before testing for permanent emptiness. Signed-off-by: Joel Granados Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202311201431.57aae8f3-oliver.sang@intel.com --- fs/proc/proc_sysctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index de484195f49f..5b5cdc747cef 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -44,7 +44,7 @@ static struct ctl_table sysctl_mount_point[] = { */ struct ctl_table_header *register_sysctl_mount_point(const char *path) { - return register_sysctl_sz(path, sysctl_mount_point, 0); + return register_sysctl(path, sysctl_mount_point); } EXPORT_SYMBOL(register_sysctl_mount_point); @@ -233,7 +233,8 @@ static int insert_header(struct ctl_dir *dir, struct ctl_table_header *header) return -EROFS; /* Am I creating a permanently empty directory? */ - if (sysctl_is_perm_empty_ctl_table(header->ctl_table)) { + if (header->ctl_table_size > 0 && + sysctl_is_perm_empty_ctl_table(header->ctl_table)) { if (!RB_EMPTY_ROOT(&dir->root)) return -EINVAL; sysctl_set_perm_empty_ctl_header(dir_h); @@ -1213,6 +1214,10 @@ static bool get_links(struct ctl_dir *dir, struct ctl_table_header *tmp_head; struct ctl_table *entry, *link; + if (header->ctl_table_size == 0 || + sysctl_is_perm_empty_ctl_table(header->ctl_table)) + return true; + /* Are there links available for every entry in table? */ list_for_each_table_entry(entry, header) { const char *procname = entry->procname;