Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp483515yba; Mon, 1 Apr 2019 10:12:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzKYSzFN3H9O7UmPYis26W6yCc3DcQgziApDwB6yrlD8yTcKrVOT7YMYAJ0CcUVRyc6BDKR X-Received: by 2002:a63:7843:: with SMTP id t64mr62109201pgc.178.1554138730983; Mon, 01 Apr 2019 10:12:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554138730; cv=none; d=google.com; s=arc-20160816; b=jp4BszzCxm2o66ou5oYNsc5NIwqp0Ez29dmuziAXG/jtX/01INkGDKxqselKPB9IH/ Zx7x5IOKnVmlx7zu1o2HJZnac6QW7sJ7oRdotpEjirsbmWczeZvYpS6g1+GIMt+gDh7k I48syHGFLledyq4JILzlgZf+bv6cL6eHZwUQqgN0VaHc8ezClQVU/YxRn9zpnToHzYc+ RyJfGApyJviHZXtt35fL/so4fLrz3BEmh3Pe9U6fQvTDBfecnfi2qaWblXeM7LbalTg+ lO2JGCA+2Qdc8ClfoUPGemRGkbUxn/sV+Hz6oE7XMIWt3gQuKvNFRpBDhKrttzPdf9hj HGAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kbDSXsjdpnpLyHp/vrYsQj8tiftBksfjrhKiHuffp1U=; b=C5SMbu2o03ZFUkJlQe+QFLtnKaXLkUWvDDjS3OTcvykmNZXMBMD5GGndzE2gVeITdh 9kbBSBHV1hfS1bkZ1rNGLfm/uSIVPeaTtOVVQisCWPmIBAK5lRYP3JBpPkMc9nd+IPfd 1ZSU8eRPwOXu+QfLhTTfXc3l0qwqwUr6tGS88XivUrHnRnMkIF/sv8bNGqMS/V3Ujxeo 8YKu44Z+YBquNGSMgHKpw41MMViq6Ybhnf2hHKIGFQKyvYv66lfAzrYEsYvcD3TObeEw jScNng69JiAuY5I2joQk4rWTR/pArJOwfpM1Su8VU9m+pFQ4Zt8/iVAWEL9W1oD4Q4+G dtLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1Utt5LK1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3si9330407pld.11.2019.04.01.10.11.55; Mon, 01 Apr 2019 10:12:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1Utt5LK1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729777AbfDARJY (ORCPT + 99 others); Mon, 1 Apr 2019 13:09:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:56304 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728940AbfDARJW (ORCPT ); Mon, 1 Apr 2019 13:09:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0CEA7206B8; Mon, 1 Apr 2019 17:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554138561; bh=JsfMbJlnrOweOhKl2Ym1LOshHT+iz0+cseajk3rMzgE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Utt5LK1oPt2nHWFTFxs3S5nQXhMqDTPqQmVNfC2LOtEJaju++e0xsgQIejgTWOtK 9rp0hxnjt7mxQB5zeGoLQjWFwZ0/+ZLuqPGRz2YMYb9cY5/non4BhrTifhE+0lOZC5 yK7RJT0eCC9zbrKFrO+It+nseHidmbfiwtCtGf20= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Minchan Kim , Makoto Wu , Sergey Senozhatsky , Andrew Morton , Linus Torvalds Subject: [PATCH 5.0 102/146] drivers/block/zram/zram_drv.c: fix idle/writeback string compare Date: Mon, 1 Apr 2019 19:01:54 +0200 Message-Id: <20190401170057.314389729@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190401170048.449559024@linuxfoundation.org> References: <20190401170048.449559024@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Minchan Kim commit 0bc9f5d14a93971c6cd9c0d81b0fc154fc54c65d upstream. Makoto report a below KASAN error: zram does out-of-bounds read. Because strscpy copies from source up to count bytes unconditionally. It could cause out-of-bounds read on next object in slab. To prevent it, use strlcpy which checks source's length automatically. BUG: KASAN: slab-out-of-bounds in strscpy+0x68/0x154 Read of size 8 at addr ffffffc0c3495a00 by task system_server/1314 .. Call trace: strscpy+0x68/0x154 idle_store+0xc4/0x34c dev_attr_store+0x50/0x6c sysfs_kf_write+0x98/0xb4 kernfs_fop_write+0x198/0x260 __vfs_write+0x10c/0x338 vfs_write+0x114/0x238 SyS_write+0xc8/0x168 __sys_trace_return+0x0/0x4 Allocated by task 1314: __kmalloc+0x280/0x318 kernfs_fop_write+0xac/0x260 __vfs_write+0x10c/0x338 vfs_write+0x114/0x238 SyS_write+0xc8/0x168 __sys_trace_return+0x0/0x4 Freed by task 2855: kfree+0x138/0x630 kernfs_put_open_node+0x10c/0x124 kernfs_fop_release+0xd8/0x114 __fput+0x130/0x2a4 ____fput+0x1c/0x28 task_work_run+0x16c/0x1c8 do_notify_resume+0x2bc/0x107c work_pending+0x8/0x10 The buggy address belongs to the object at ffffffc0c3495a00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffffffc0c3495a00, ffffffc0c3495a80) The buggy address belongs to the page: page:ffffffbf030d2500 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc0c3495900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0c3495980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffffc0c3495a00: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc0c3495a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0c3495b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Link: http://lkml.kernel.org/r/20190319231911.145968-1-minchan@kernel.org Cc: [5.0] Signed-off-by: Minchan Kim Reported-by: Makoto Wu Reviewed-by: Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/block/zram/zram_drv.c | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -290,18 +290,8 @@ static ssize_t idle_store(struct device struct zram *zram = dev_to_zram(dev); unsigned long nr_pages = zram->disksize >> PAGE_SHIFT; int index; - char mode_buf[8]; - ssize_t sz; - sz = strscpy(mode_buf, buf, sizeof(mode_buf)); - if (sz <= 0) - return -EINVAL; - - /* ignore trailing new line */ - if (mode_buf[sz - 1] == '\n') - mode_buf[sz - 1] = 0x00; - - if (strcmp(mode_buf, "all")) + if (!sysfs_streq(buf, "all")) return -EINVAL; down_read(&zram->init_lock); @@ -635,25 +625,15 @@ static ssize_t writeback_store(struct de struct bio bio; struct bio_vec bio_vec; struct page *page; - ssize_t ret, sz; - char mode_buf[8]; - int mode = -1; + ssize_t ret; + int mode; unsigned long blk_idx = 0; - sz = strscpy(mode_buf, buf, sizeof(mode_buf)); - if (sz <= 0) - return -EINVAL; - - /* ignore trailing newline */ - if (mode_buf[sz - 1] == '\n') - mode_buf[sz - 1] = 0x00; - - if (!strcmp(mode_buf, "idle")) + if (sysfs_streq(buf, "idle")) mode = IDLE_WRITEBACK; - else if (!strcmp(mode_buf, "huge")) + else if (sysfs_streq(buf, "huge")) mode = HUGE_WRITEBACK; - - if (mode == -1) + else return -EINVAL; down_read(&zram->init_lock);