Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4141606ybl; Mon, 3 Feb 2020 13:23:51 -0800 (PST) X-Google-Smtp-Source: APXvYqzSI2FBex1wPXfugLBu+VNCFN30y6Qtz9EY5lDNy0p73VsLYNRUi+V75mh6oU9HTe0i55Ji X-Received: by 2002:a9d:588c:: with SMTP id x12mr18780170otg.2.1580765031754; Mon, 03 Feb 2020 13:23:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580765031; cv=none; d=google.com; s=arc-20160816; b=ftTj2PmKoWtuYTuQm6tAJCPclz1/5SmRitA3vd2wjE9kgFeCF64mM9liMJ0uxtlo3T uy8WRMi371vphP3hRkzghMtu6op+BIhFEVpqGzMPYPvPhGYIGO6/aaazVnXp9JT4UF3q Gtmxg2EEfwmJDMXWV+3anj2t27fBd9ow1cGCn1fv5ynbxLjw+3XorvoAAQVs16ohKeCI oKKvXFaocaHuiJeKeAKmJUjO0jjH1ejCPLE5A0xDnbScyommfiH8LUnmGtiyxwm3pr9a J7rnLUZ4fzcuVPD2SobJ7vazLG/LFaVUrgnLWtfGsQQ2LcETA/5ug1rsWCfARGENZJlh IaqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=dIcgoknJRV2xvDzVGBwxmNoSCRUFhrMkWDv+f+nsEKk=; b=X8XtMTvcg3oVdxX06Dsxll0QadUSOYwmlLkAcYsDR7+N05Q0ddrw2R1De66tlZNiGv Sm8cRTGplKclrOjFZODJSkajawoZTeJtnR0j4i22IysHUA7ezIbayjIIF/xYpjYSEwSx SzsaTJxZlIqULKXgwEnW/0eMj1E2wq8IWFQClbvG9DulDlV4ICvUMlkIFlpH4mFnk87E exyRA8m0XfoVsW1b6NVnoPHEaISXa8uow6IFDIijTLIAGxOrtE/JcSIHsW3g6f76keAM Q2RDgIsHly5MmuU7qGH3ZN8Dz+OHyH8z85CbsSMDEBJkTqGTsjkdEchH0V/8uB5G/nep rWGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iEOMjOJX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o8si9627262oti.47.2020.02.03.13.23.40; Mon, 03 Feb 2020 13:23:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iEOMjOJX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727223AbgBCVWV (ORCPT + 99 others); Mon, 3 Feb 2020 16:22:21 -0500 Received: from mail-qt1-f201.google.com ([209.85.160.201]:40471 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725372AbgBCVWV (ORCPT ); Mon, 3 Feb 2020 16:22:21 -0500 Received: by mail-qt1-f201.google.com with SMTP id e37so10903029qtk.7 for ; Mon, 03 Feb 2020 13:22:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=dIcgoknJRV2xvDzVGBwxmNoSCRUFhrMkWDv+f+nsEKk=; b=iEOMjOJXdHuEfLB1vNdA8MV5ITFgbImLjQ27HHaP+arX5Of+fVrR86W67FhfMctrQh KO8BJbUXpEm4m2HF33GhVRsVUGZHWsmV9KL6EHRj3eDiZeSM2L4dioUjnngvsNuth8Ut 9gQ80srvPKZ6iAlCVDG8pkoF0L+HkEBEs5Uqfis+eyBvE+PooIFZlCQF5EXg0WCVwP6q u67RpDXPKEvHVvZJeEpudPHwXIJaroogdQWUeV9imt1Jwr0YdIdzcEFgAOvNhv/Bdipq uo9OXH8x2NAHHfbuVAOERxe4Kwrvp59yjiMzYr4XkxWJssCSJZFVB8KBNSDQN2+215eC Tamg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=dIcgoknJRV2xvDzVGBwxmNoSCRUFhrMkWDv+f+nsEKk=; b=OJKSlYM5XV2CqW6OUkvbmFL6PHHD2Gw0Hzwwz2pPH7JntNOjLZuknUxQz/uTKzXpTv 5smvRxaPl4rf6udfR7dj/0GWBQze+wHVM3tayFc5KMLxulk6GQ07TOjlrQ9ge5Yd6V4T f8TaTTtpnGinUJ9m+qWmxsAaqK+yfS5jGeTLdlOXXIBJYBwye8QEvU0BmSxtDNpfdTHu o0C21wGQ7POPbuGtAZKlCfPFB9eRVgdFszBHdqW0TfEtfbd5Bzw1PSbvx6zL8K+ZjY8c xIyUr9fM7eW+w9T0dTtweOSJ52DKUmW482G/WJ/80Jz1d4AdBPS394m9YTSOu1z16Lt5 oTug== X-Gm-Message-State: APjAAAU0DquAkQ4XnEe3A6/66qI6XnY0x+XrA+zARiedREEnE7l1KLdP m0c0kol6uBn4cEAGf+E6bTIqb+S6qAY= X-Received: by 2002:ac8:6bd9:: with SMTP id b25mr25583707qtt.347.1580764940186; Mon, 03 Feb 2020 13:22:20 -0800 (PST) Date: Mon, 3 Feb 2020 13:22:16 -0800 Message-Id: <20200203212216.7076-1-surenb@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.25.0.341.g760bfbb309-goog Subject: [PATCH] psi: Fix OOB write when writing 0 bytes to psi files From: Suren Baghdasaryan To: surenb@google.com Cc: mingo@redhat.com, peterz@infradead.org, hannes@cmpxchg.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, linux-kernel@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Issuing write() with count parameter set to 0 on any file under /proc/pressure/ will cause an OOB write because of the access to buf[buf_size-1] when NUL-termination is performed. Fix this by checking for buf_size to be non-zero. Signed-off-by: Suren Baghdasaryan --- kernel/sched/psi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index db7b50bba3f1..38ccd49b9bf6 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -1199,6 +1199,9 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, if (static_branch_likely(&psi_disabled)) return -EOPNOTSUPP; + if (!nbytes) + return -EINVAL; + buf_size = min(nbytes, sizeof(buf)); if (copy_from_user(buf, user_buf, buf_size)) return -EFAULT; -- 2.25.0.341.g760bfbb309-goog