Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp1747876ybd; Thu, 27 Jun 2019 00:38:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4i7m0NvMpAyvnTEX2rzQ0i9uXKHPV763rVhd5p+4fDCwrKjVKLrIv6Pc6qIdJDxZruVV3 X-Received: by 2002:a63:2249:: with SMTP id t9mr2411721pgm.149.1561621122846; Thu, 27 Jun 2019 00:38:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561621122; cv=none; d=google.com; s=arc-20160816; b=Pw2Qu3I6jfoXPFyubBfBZLPLl8lSYOlUfyeB/l5+ouDxja4NC+UvBSjnWXAD6BVUqL 83Qq6FaDPzXaj+6dwnuLBzeiyc4gloqbtIOEP1JHSU0PWFdhLQMy9PAtyp289fVhqqwY CteHO+ycTts0D5fWcLreJKYVMcIkA9JMlCzHNLoFYhIMttYp3dokGE+R0lg47NeWuxDE ISN7orbrlsKVHglesC4UnqZJ2XAB4G0t3Fbe6FeT5WdO8GeRYFo6ZbVqFM7/2omGdUdG mt2Yg5rrzTemXZM1nCvcYTnTqcK42CX76E+s8F+A5iliarT660yaA6CflGJ2m/DKlya0 l/jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:mime-version:robot-unsubscribe:robot-id :git-commit-id:subject:to:references:in-reply-to:reply-to:cc :message-id:from:date:dkim-signature:dkim-filter; bh=4LQhO5iKOeqHsEwFapxOyCS0pfnKvdjPzTYio4diccA=; b=zS8AsYYRYX3y9KsW7HhVOe2b9YUnG0pMabaMu9L3kL+sgedJBqq7AfqRU8yeQzIKPD 1UtmNfXDTqAV62S/duKo6QzNJRk8KOKks0WrBQPo6DnoudzfBV6FY2XCFpj5zI+Xxhsx ZZwxG/JtWGfo8M8sI/RQ8CADURuDyKvLX6oCqnpBgC5LT5HKHhWZCI9C2d3/jvRu0HgL LCqwjEZIPgrIqR3VYsq4EGtByzrIeyl323zBdkdI4PJbDVpbdbM27KYd0c3RN3izYnKI Sp8VDTyuVIZW07YCmIN4sfnwBZewMZu2ZGoSCYim8nak/UCpdzADvH6/fA7BseudgJbF 8BcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zytor.com header.s=2019061801 header.b=oBkAdZLA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k17si1361905pgg.426.2019.06.27.00.38.23; Thu, 27 Jun 2019 00:38:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zytor.com header.s=2019061801 header.b=oBkAdZLA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726531AbfF0Hh3 (ORCPT + 99 others); Thu, 27 Jun 2019 03:37:29 -0400 Received: from terminus.zytor.com ([198.137.202.136]:59901 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726059AbfF0Hh3 (ORCPT ); Thu, 27 Jun 2019 03:37:29 -0400 Received: from terminus.zytor.com (localhost [127.0.0.1]) by terminus.zytor.com (8.15.2/8.15.2) with ESMTPS id x5R7bAJg177138 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 27 Jun 2019 00:37:10 -0700 DKIM-Filter: OpenDKIM Filter v2.11.0 terminus.zytor.com x5R7bAJg177138 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2019061801; t=1561621031; bh=4LQhO5iKOeqHsEwFapxOyCS0pfnKvdjPzTYio4diccA=; h=Date:From:Cc:Reply-To:In-Reply-To:References:To:Subject:From; b=oBkAdZLATCASnJM0AXQjrrvlC7qmQMNjs4A5HdZ9+SVOj6sHqoL2qRh0hmTS3wVd0 5Rtpb3/S/2XLMrA8H1ksZw2T/BBbb+YDdzHAnSkG0aaHAI71tjNFSB52/dyiwnWob7 I/SR1r5+ET0s46WcZjnxC5qNMKLI0Bs9qeOvD/onDZ6l/Qmso2/xydODkrV3UjgxXl O8oLqjOXaP6HHL2R+0o8grV4F2tdocfeeWRcW3dQmM54fojzPglPctNqqVPj7ZCzlu b1inHcI0KMKUah9+u2iuPIT27ZdSXTvTrP5GuDxBKz8H/IAIvO7mha4dQuyNIsQHby TKhvvKChnIIMw== Received: (from tipbot@localhost) by terminus.zytor.com (8.15.2/8.15.2/Submit) id x5R7bATa177135; Thu, 27 Jun 2019 00:37:10 -0700 Date: Thu, 27 Jun 2019 00:37:10 -0700 X-Authentication-Warning: terminus.zytor.com: tipbot set sender to tipbot@zytor.com using -f From: tip-bot for Eiichi Tsukata Message-ID: Cc: linux-kernel@vger.kernel.org, mingo@kernel.org, hpa@zytor.com, devel@etsukata.com, tglx@linutronix.de Reply-To: mingo@kernel.org, linux-kernel@vger.kernel.org, hpa@zytor.com, devel@etsukata.com, tglx@linutronix.de In-Reply-To: <20190627024732.31672-1-devel@etsukata.com> References: <20190627024732.31672-1-devel@etsukata.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:smp/urgent] cpu/hotplug: Fix out-of-bounds read when setting fail state Git-Commit-ID: 33d4a5a7a5b4d02915d765064b2319e90a11cbde X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline X-Spam-Status: No, score=0.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DATE_IN_FUTURE_12_24,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, DKIM_VALID_EF autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on terminus.zytor.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 33d4a5a7a5b4d02915d765064b2319e90a11cbde Gitweb: https://git.kernel.org/tip/33d4a5a7a5b4d02915d765064b2319e90a11cbde Author: Eiichi Tsukata AuthorDate: Thu, 27 Jun 2019 11:47:32 +0900 Committer: Thomas Gleixner CommitDate: Thu, 27 Jun 2019 09:34:04 +0200 cpu/hotplug: Fix out-of-bounds read when setting fail state Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail can control `struct cpuhp_step *sp` address, results in the following global-out-of-bounds read. Reproducer: # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail KASAN report: BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0 Read of size 8 at addr ffffffff89734438 by task bash/1941 CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31 Call Trace: write_cpuhp_fail+0x2cd/0x2e0 dev_attr_store+0x58/0x80 sysfs_kf_write+0x13d/0x1a0 kernfs_fop_write+0x2bc/0x460 vfs_write+0x1e1/0x560 ksys_write+0x126/0x250 do_syscall_64+0xc1/0x390 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f05e4f4c970 The buggy address belongs to the variable: cpu_hotplug_lock+0x98/0xa0 Memory state around the buggy address: ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa ^ ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Add a sanity check for the value written from user space. Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection") Signed-off-by: Eiichi Tsukata Signed-off-by: Thomas Gleixner Cc: peterz@infradead.org Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com --- kernel/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/cpu.c b/kernel/cpu.c index 551db494f153..ef1c565edc5d 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1964,6 +1964,9 @@ static ssize_t write_cpuhp_fail(struct device *dev, if (ret) return ret; + if (fail < CPUHP_OFFLINE || fail > CPUHP_ONLINE) + return -EINVAL; + /* * Cannot fail STARTING/DYING callbacks. */