Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4423277ybb; Tue, 7 Apr 2020 07:15:50 -0700 (PDT) X-Google-Smtp-Source: APiQypIAsA6P6cIXJ/eJMxn2VlIaxndHfJMS/q4Wul3epnxy3PJqoBXtTMuWXJFZGE1MgMsbgHIc X-Received: by 2002:a9d:69d8:: with SMTP id v24mr1761141oto.148.1586268950480; Tue, 07 Apr 2020 07:15:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586268950; cv=none; d=google.com; s=arc-20160816; b=BlVNKOBPhyrWKNmYKX56MtF+4YUPPLF0iIyOBsM7mrMOqcbC5dJlx5VI4njnvyoLpc h3T6YW0oCNWi8xzolxvOQHY36p+825vjJOKrAFYKOaDeJBsjiyHoWlBWTMYs/vv7Bca6 bzuRee81R4sSi2X7aEwPX8VVLEH655CZTcLfvkBUEMvAOcKnf6iJo7gaFJq8n17ODTja Cn96ROXmbkSSt6sIuIxVHrC1PL61JelQVXsNkpMK8nl8oTG3MwDl+m/tqpihjIeIWQJ7 bkzcfeVv43kqOrlAtnyVAMeR54SoEpYNgSNMMKXyd5l2kKt9wOM7wU8XdIw1zVG/++Uo LUfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:subject:cc:to:from:message-id:date; bh=De/VOXGMC+m5yb8Vj33nlTz8n1RAy7reTbQiU+ZxQUs=; b=etEVKXaB5ngWs6uQoueG0NRkS487haG4O990Qn4Fm1Xvh9/1k/6y6fgvmFigAYhwwi iSNA6L292FKKHswKHhfFVPl7QzWGmTPafwrayQOO092KXQB9TKIW8rxoF40SKA0Xh+wL grUs6TIQteBaw7m9hje75v6y5jCRQOPwBdCUE3mEKU/jZ1LZPDyoS11ABx6z/8Osh6Lj zNas8emijU2KHHJ/SMgK/hE11nGcYsrxNuf4Vepn/WmOUE7f/nbG7A6w2l3yPURm3Seo VeRSYZqYJXrbRlKB3NTWTmmVt1EpKLLN9Q0nOKItfjjYFSW/EW16ykgrf89Czs5UIaHN ZOow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y65si727627oie.92.2020.04.07.07.15.22; Tue, 07 Apr 2020 07:15:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728994AbgDGOMv (ORCPT + 99 others); Tue, 7 Apr 2020 10:12:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:43586 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728640AbgDGOMv (ORCPT ); Tue, 7 Apr 2020 10:12:51 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 947B3ACA1; Tue, 7 Apr 2020 14:12:48 +0000 (UTC) Date: Tue, 07 Apr 2020 16:12:48 +0200 Message-ID: From: Takashi Iwai To: Amit Kucheria Cc: Takashi Iwai , Zhang Rui , Daniel Lezcano , Linux PM list , LKML Subject: Re: [PATCH] thermal: Add a sanity check for invalid state at stats update In-Reply-To: References: <20200330140859.12535-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 07 Apr 2020 15:30:51 +0200, Amit Kucheria wrote: > > On Mon, Mar 30, 2020 at 7:39 PM Takashi Iwai wrote: > > > > The thermal sysfs handler keeps the statistics table with the fixed > > size that was determined from the initial max_states() call, and the > > table entry is updated at each sysfs cur_state write call. And, when > > the driver's set_cur_state() ops accepts the value given from > > user-space, the thermal sysfs core blindly applies it to the > > statistics table entry, which may overflow and cause an Oops. > > Although it's rather a bug in the driver's ops implementations, we > > shouldn't crash but rather give a proper warning instead. > > > > This patch adds a sanity check for avoiding such an OOB access and > > warns with a stack trace to show the suspicious device in question. > > Hi Takashi, > > Instead of this warning, I think we should reject such input when > writing to cur_state. > > See attached patch. If you think this OK, I'll submit it. Actually the input value itself is correct, the problem is rather about the max_states that may vary depending on other driver. So IMO, we don't want to refuse the input completely. Please see the thread: https://lore.kernel.org/linux-acpi/s5h5zeiwd01.wl-tiwai@suse.de/ thanks, Takashi > > Regards, > Amit > > > Signed-off-by: Takashi Iwai > > --- > > > > We've hit some crash by stress tests, and this patch at least works > > around the crash itself. While the actual bug fix of the buggy driver > > is still being investigated, I submit the hardening in the core side > > at first. > > > > drivers/thermal/thermal_sysfs.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c > > index aa99edb4dff7..a23c4e701d63 100644 > > --- a/drivers/thermal/thermal_sysfs.c > > +++ b/drivers/thermal/thermal_sysfs.c > > @@ -772,6 +772,11 @@ void thermal_cooling_device_stats_update(struct thermal_cooling_device *cdev, > > > > spin_lock(&stats->lock); > > > > + if (dev_WARN_ONCE(&cdev->device, new_state >= stats->max_states, > > + "new state %ld exceeds max_state %ld", > > + new_state, stats->max_states)) > > + goto unlock; > > + > > if (stats->state == new_state) > > goto unlock; > > > > -- > > 2.16.4 > > > From 54266260d483ab4476510dd4461a1cafc611e17d Mon Sep 17 00:00:00 2001 > Message-Id: <54266260d483ab4476510dd4461a1cafc611e17d.1586266224.git.amit.kucheria@linaro.org> > From: Amit Kucheria > Date: Tue, 7 Apr 2020 18:48:14 +0530 > Subject: [PATCH] thermal: Reject invalid cur_state input from userspace > > We don't check if the cur_state value input in sysfs is greater than the > maximum cooling state that the cooling device supports. This can cause > access to unallocated memory in case THERMAL_STATISTICS in enabled and > could also crash cooling devices that don't check for an invalid state in > their set_cur_state() callback. > > Return an error if the state being requested in greater than the maximum > cooling state the device supports. > > Reported-by: Takashi Iwai > Signed-off-by: Amit Kucheria > --- > drivers/thermal/thermal_sysfs.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c > index 7e1d11bdd258..8033e5a9386a 100644 > --- a/drivers/thermal/thermal_sysfs.c > +++ b/drivers/thermal/thermal_sysfs.c > @@ -703,7 +703,7 @@ cur_state_store(struct device *dev, struct device_attribute *attr, > const char *buf, size_t count) > { > struct thermal_cooling_device *cdev = to_cooling_device(dev); > - unsigned long state; > + unsigned long state, max_state; > int result; > > if (sscanf(buf, "%ld\n", &state) != 1) > @@ -712,6 +712,13 @@ cur_state_store(struct device *dev, struct device_attribute *attr, > if ((long)state < 0) > return -EINVAL; > > + result = cdev->ops->get_max_state(cdev, &max_state); > + if (result) > + return result; > + > + if (state >= max_state) > + return -EINVAL; > + > mutex_lock(&cdev->lock); > > result = cdev->ops->set_cur_state(cdev, state); > -- > 2.20.1 >