Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-02-14 11:57:30 +0100
committerTakashi Iwai <tiwai@suse.de>2019-02-14 11:57:34 +0100
commit81f4204151efaa1879b2b1886b56b84ef41be5d5 (patch)
tree20f2b5e872874349e614781ca9575f56469d7a82
parent3aab6bcc22ca7e9eb08be8d2b842b4cc94043b02 (diff)
kgdboc: fix KASAN global-out-of-bounds bug in
param_set_kgdboc_var() (bsc#1051510).
-rw-r--r--patches.fixes/kgdboc-fix-KASAN-global-out-of-bounds-bug-in-param_s.patch81
-rw-r--r--series.conf1
2 files changed, 82 insertions, 0 deletions
diff --git a/patches.fixes/kgdboc-fix-KASAN-global-out-of-bounds-bug-in-param_s.patch b/patches.fixes/kgdboc-fix-KASAN-global-out-of-bounds-bug-in-param_s.patch
new file mode 100644
index 0000000000..fb61be62c9
--- /dev/null
+++ b/patches.fixes/kgdboc-fix-KASAN-global-out-of-bounds-bug-in-param_s.patch
@@ -0,0 +1,81 @@
+From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul@gmail.com>
+Date: Wed, 17 Oct 2018 23:08:38 +0800
+Subject: [PATCH] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
+Git-commit: dada6a43b0402eba438a17ac86fdc64ac56a4607
+Patch-mainline: v4.20-rc6
+References: bsc#1051510
+
+This patch is trying to fix KE issue due to
+"bug: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
+reported by Syzkaller scan."
+
+[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
+[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
+[26364:syz-executor0]Call trace:
+[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
+[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
+[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
+[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
+[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
+[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
+[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
+[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
+[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
+[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
+[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
+[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
+[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
+[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
+[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
+[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
+[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]Memory state around the buggy address:
+[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+[26364:syz-executor0][name:report&] ^
+[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
+[26364:syz-executor0]------------[cut here]------------
+
+After checking the source code, we've found there might be an out-of-bounds
+access to "config[len - 1]" array when the variable "len" is zero.
+
+Signed-off-by: Macpaul Lin <macpaul@gmail.com>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/kgdboc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -250,7 +250,7 @@ static void kgdboc_put_char(u8 chr)
+
+ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdboc: config string too long\n");
+@@ -272,7 +272,7 @@ static int param_set_kgdboc_var(const ch
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ if (configured == 1)
diff --git a/series.conf b/series.conf
index 603c9afa67..a0da16b579 100644
--- a/series.conf
+++ b/series.conf
@@ -19790,6 +19790,7 @@
patches.drivers/xhci-Prevent-U1-U2-link-pm-states-if-exit-latency-is.patch
patches.drivers/tty-do-not-set-TTY_IO_ERROR-flag-if-console-port.patch
patches.drivers/tty-serial-8250_mtk-always-resume-the-device-in-prob.patch
+ patches.fixes/kgdboc-fix-KASAN-global-out-of-bounds-bug-in-param_s.patch
patches.drivers/staging-rtl8712-Fix-possible-buffer-overrun.patch
patches.drivers/Revert-commit-ef9209b642f-staging-rtl8723bs-Fix-inde.patch
patches.arch/x86-build-Fix-compiler-support-check-for-CONFIG_RETP.patch