Received: by 10.223.185.116 with SMTP id b49csp1014075wrg; Wed, 21 Feb 2018 10:34:37 -0800 (PST) X-Google-Smtp-Source: AH8x225EVMUTrjvOwaNSmBHRja6jVViqjlknqNm7TlAQ1ekm52l9nPcAnwW8P4yVKnV6waEckIaq X-Received: by 10.98.65.198 with SMTP id g67mr4150578pfd.127.1519238077484; Wed, 21 Feb 2018 10:34:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519238077; cv=none; d=google.com; s=arc-20160816; b=eUVpu4USGo/MC6nko54A0tRtLPLg5S8bz8UTf2i0rcRv7g7eaJh5eaUwWSFUtFq6+W mu+nUvhJSIrsk0UO+l3vqBaBS+O3pynK9OeuxeAKcmnAu9PiXdX3yAJPFK9rxXg9msjI H2L6twn3OZlnOps9MXqFDqtv28UsJRe7LCRjAmQrTHEdcsByiON61q+J80WFhpFPPP4b 4vuFih67tsCn5J3T+VeRW1a/m9Da0CaEpiNfef7Am18TSiG2VKL3ibGST+mtzAAulkSh o/0R727nH7bFn/GuA9lWP+A811LEODTIc457W/H4fdOzF8Hz3RAgbHcOGbEKGGqsJXT0 j9lQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=3ptuJ51Rs7HbZlnE3uVygS+gNPzV0V2yqOV5v3feltA=; b=1H1JAGHJ898SX/UhP55S78wrwc7Av+DvcXfe7Peaav/5WLR7lp1ga3LvZTCa8j/TQy /v2fDPbyLRuAP3SBeXwusiPnGhE9m7zQTjISmKMpPDUmorGStmUwt63AXI5hxYSofx5f UJD1Nmlm5GFg2fLnJLpWF45gG/QvbcL+ZO9N8Dl9sgzNBDyofk9kQb73Wnh2DZfzYIRC VRxoXmTr3EwW53DRnMiSsrxpR1ObnnUk3jmy2azIOMYEsMAGstFmpuhGkpskoZpjqAR6 1+oTFYysbdUwi8Cl1qw0Q5s+w5eGUkq2qGDIZoTxfjUB0YXz0wI4+4suLnZDhZmQrcYB SdVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b127si1600059pgc.220.2018.02.21.10.34.20; Wed, 21 Feb 2018 10:34:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936182AbeBUNJA (ORCPT + 99 others); Wed, 21 Feb 2018 08:09:00 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:42644 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965359AbeBUNI4 (ORCPT ); Wed, 21 Feb 2018 08:08:56 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 76E4111DF; Wed, 21 Feb 2018 13:08:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Ryabinin , Andy Shevchenko Subject: [PATCH 4.15 057/163] platform/x86: wmi: fix off-by-one write in wmi_dev_probe() Date: Wed, 21 Feb 2018 13:48:06 +0100 Message-Id: <20180221124533.615600146@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180221124529.931834518@linuxfoundation.org> References: <20180221124529.931834518@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andrey Ryabinin commit 6e1d8ea90932f77843730ada0bfea63093b7212a upstream. wmi_dev_probe() allocates one byte less than necessary, thus subsequent sprintf() call writes trailing zero past the end of the 'buf': BUG: KASAN: slab-out-of-bounds in vsnprintf+0xda4/0x1240 Write of size 1 at addr ffff880423529caf by task kworker/1:1/32 Call Trace: dump_stack+0xb3/0x14d print_address_description+0xd7/0x380 kasan_report+0x166/0x2b0 vsnprintf+0xda4/0x1240 sprintf+0x9b/0xd0 wmi_dev_probe+0x1c3/0x400 driver_probe_device+0x5d1/0x990 bus_for_each_drv+0x109/0x190 __device_attach+0x217/0x360 bus_probe_device+0x1ad/0x260 deferred_probe_work_func+0x10f/0x5d0 process_one_work+0xa8b/0x1dc0 worker_thread+0x20d/0x17d0 kthread+0x311/0x3d0 ret_from_fork+0x3a/0x50 Allocated by task 32: kasan_kmalloc+0xa0/0xd0 __kmalloc+0x14f/0x3e0 wmi_dev_probe+0x182/0x400 driver_probe_device+0x5d1/0x990 bus_for_each_drv+0x109/0x190 __device_attach+0x217/0x360 bus_probe_device+0x1ad/0x260 deferred_probe_work_func+0x10f/0x5d0 process_one_work+0xa8b/0x1dc0 worker_thread+0x20d/0x17d0 kthread+0x311/0x3d0 ret_from_fork+0x3a/0x50 Increment allocation size to fix this. Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers") Signed-off-by: Andrey Ryabinin Cc: Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman --- drivers/platform/x86/wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/platform/x86/wmi.c +++ b/drivers/platform/x86/wmi.c @@ -933,7 +933,7 @@ static int wmi_dev_probe(struct device * goto probe_failure; } - buf = kmalloc(strlen(wdriver->driver.name) + 4, GFP_KERNEL); + buf = kmalloc(strlen(wdriver->driver.name) + 5, GFP_KERNEL); if (!buf) { ret = -ENOMEM; goto probe_string_failure;