On Wed, Oct 17, 2018 at 11:08:38PM +0800, Macpaul Lin wrote:
> This patch is trying to fix KE issue due to
> "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
> reported by Syzkaller scan."
Did you run the scan yourself or pick it up for triage from somewhere
else? A web search doesn't give any indication that this problem has
been reported anywhere but this patch...
> [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in
> param_set_kgdboc_var+0x194/0x198
> [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by
> task syz-executor0/26364
> [26364:syz-executor0][name:report&]
> [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
> [26364:syz-executor0]Call trace:
> [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
> [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
> [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
> [26364:syz-executor0][<ffffff90084edb38>] print_address_description
> +0x80/0x4a8
> [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
> [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
> [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
> [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
> [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
> [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
> [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
> [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
> [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
> [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
> [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
> [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
> [26364:syz-executor0][name:report&]
> [26364:syz-executor0][name:report&]The buggy address belongs to the variable:
> [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
> [26364:syz-executor0][name:report&]
> [26364:syz-executor0][name:report&]Memory state around the buggy address:
> [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa
> 00 fa fa fa
> [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa
> 00 fa fa fa
> [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa
> 00 00 00 00
> [26364:syz-executor0][name:report&] ^
> [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa
> fa fa fa fa
> [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa
> fa fa fa fa
> [26364:syz-executor0][name:report&]
> [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
> [26364:syz-executor0]------------[cut here]------------
>
> After checking the source code, we've found there might be an out-of-bounds
> access to "config[len - 1]" array when the variable "len" is zero.
>
> Signed-off-by: Macpaul Lin <macp...@gmail.com>
Change looks OK to me so
Acked-by: Daniel Thompson <daniel.thomp...@linaro.org>
Daniel.
> drivers/tty/serial/kgdboc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
> index b4ba2b1..c1c4219 100644
> --- a/drivers/tty/serial/kgdboc.c
> +++ b/drivers/tty/serial/kgdboc.c
> @@ -245,7 +245,7 @@ static void kgdboc_put_char(u8 chr)
> static int param_set_kgdboc_var(const char *kmessage,
> const struct kernel_param *kp)
> {
> - int len = strlen(kmessage);
> + size_t len = strlen(kmessage);
>
> if (len >= MAX_CONFIG_LEN) {
> printk(KERN_ERR "kgdboc: config string too long\n");
> @@ -267,7 +267,7 @@ static int param_set_kgdboc_var(const char *kmessage,
>
> strcpy(config, kmessage);
> /* Chop out \n char as a result of echo */
> - if (config[len - 1] == '\n')
> + if (len && config[len - 1] == '\n')
> config[len - 1] = '\0';
>
> if (configured == 1)
> --
> 1.7.11.2.138.g2b53359
>
_______________________________________________
Kgdb-bugreport mailing list
Kgdb-bugreport@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/kgdb-bugreport
