Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1993575pxa; Thu, 6 Aug 2020 23:36:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzC+BdxQ3kls54vB8UwojfIxleEajPlFTC5mrmue4SdatM3zB3ETqAQUL1hj+CLChMZOZBU X-Received: by 2002:a17:906:a3d0:: with SMTP id ca16mr7914741ejb.36.1596782202846; Thu, 06 Aug 2020 23:36:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596782202; cv=none; d=google.com; s=arc-20160816; b=JIPhtSKE1qsdDqXtpF54IlDJogxt9A1xxAuv1CJjW43oa5l9MgcDCqHVW29JCuaJQw KfF3qKdtoK/IyCFyiG5TgvKfdgt1F1c8zj++Pp6cKV7fEXVCrjt8HPC5nT8ofxpD5TNp 1S4v9QZH6GIUJAm3+UqaHpzBZRKFfr9sCXjg+73HOsddyeFtJDvp7rIP1RITJ+wFDx2X a/lM1r67ZUstCQiJznJ0M2FbBIysx53NBImnACffcrXfiqqlsFLDgxIgN6S5NlLv65u3 SxBOVmLnOMOmOUHIvRwBFSJHphSdbtjk0sfUK6IHWcoUoHLZsamGbMe3G/a1ApH0ULxK Ukeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=lbtTVfS19M9EircaMcGgloMEE/grVbAoUbgj1gpJXrg=; b=CLxfFYUEDbpuibzZQRvXzsYRcHkAlSNjj0QobTVLmKmWPF0D99LaAMeoNON7ZuUhSa pIqumGRBgoqDTwtjLcHpXct9SfhtucPrfy7Q3ZSuD1kP8eIOZ8ThQiBPG/I4j4/smvMB OM12TV7JFG756HepgtBPvQYp1n/dBHPbWFtG6leZub/EqKnWroaiwElnK3afnVrTG96B 9DmxiqIXeNUPvM2gG5RqP+vEc2MJclWJIkITJO4vLIo9RWxcD6uNM009aW7OVG9bDf62 N9zLRrqAtdiCdrF0Oi6ec2hAmiSiscey0BQlxtJtMayChNsSOWxOAIFXNRITTvZFSG5v b3WQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oYb3Id1V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y98si4847765ede.432.2020.08.06.23.36.18; Thu, 06 Aug 2020 23:36:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oYb3Id1V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726149AbgHGGfu (ORCPT + 99 others); Fri, 7 Aug 2020 02:35:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725872AbgHGGft (ORCPT ); Fri, 7 Aug 2020 02:35:49 -0400 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BAFF0C061756 for ; Thu, 6 Aug 2020 23:35:49 -0700 (PDT) Received: by mail-pf1-x443.google.com with SMTP id f193so466006pfa.12 for ; Thu, 06 Aug 2020 23:35:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lbtTVfS19M9EircaMcGgloMEE/grVbAoUbgj1gpJXrg=; b=oYb3Id1Vy5jcC87/K7XVZbIUdogBy8rqpbrYWfAis26tXnMx+qzw81kg4Zx1gYap1k hiHxefnWRbv5s/Je/DBNO+4/C+kVHuRkurqczsPzam4fZ3TcKXfPxtgvXQvxqu3CVF6j ejySUVgMHfvjnwW7P9taUczH+H/AdV7FbpY4w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lbtTVfS19M9EircaMcGgloMEE/grVbAoUbgj1gpJXrg=; b=gDWLV7FLL7cRy5FvWDlCI3/e7tsBRR4uwelfPQYbOJy5HatavMa5QSGJEAH6fFO3Jx uDipjxuhjD662EqOVn0hTELrFTkU13miRS/epM7CHegdt6nHz2QCGiiVZcn6sDH9Gmhk WCwFi1nb02kZDTt7ZC7uqVjcPl3stBfpTCLssYZj7Ac+yJEZ1MNtSQyhdtoc3JpG/D/Q G95ocFbMzfxZqXP2JumSMPD4Gim7ybquDiXlwaYIjtpE0lLFuBVpsROsWcmIIPNCZukk sFMYLv/TcrmbGi2//oquIKHSACeTWUvVFxBBwWCmUxM1moJc3DfZxh9+hrlH9EuwGaZu oosg== X-Gm-Message-State: AOAM533q5AI8yAv+eXX5F5qrTxeqQfI4blKfHZjXjlVxDaXXAOwaveal nqEgFQem/Ri/51e+xRGF2nl5haxJfVA= X-Received: by 2002:a62:8cd3:: with SMTP id m202mr11272808pfd.184.1596782149105; Thu, 06 Aug 2020 23:35:49 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g9sm10812966pfr.172.2020.08.06.23.35.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Aug 2020 23:35:48 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , kernel test robot , stable@vger.kernel.org, Jessica Yu , Shuah Khan , Greg Kroah-Hartman , Masahiro Yamada , linux-kselftest@vger.kernel.org Subject: [PATCH 1/2] module: Correctly truncate sysfs sections output Date: Thu, 6 Aug 2020 23:35:38 -0700 Message-Id: <20200807063539.2620154-2-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200807063539.2620154-1-keescook@chromium.org> References: <20200807063539.2620154-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The only-root-readable /sys/module/$module/sections/$section files did not truncate their output to the available buffer size. While most paths into the kernfs read handlers end up using PAGE_SIZE buffers, it's possible to get there through other paths (e.g. splice, sendfile). Actually limit the output to the "count" passed into the read function, and report it back correctly. *sigh* Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/20200805002015.GE23458@shao2-debian Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute") Cc: stable@vger.kernel.org Cc: Jessica Yu Signed-off-by: Kees Cook --- kernel/module.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index aa183c9ac0a2..08c46084d8cc 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -1520,18 +1520,34 @@ struct module_sect_attrs { struct module_sect_attr attrs[]; }; +#define MODULE_SECT_READ_SIZE (3 /* "0x", "\n" */ + (BITS_PER_LONG / 4)) static ssize_t module_sect_read(struct file *file, struct kobject *kobj, struct bin_attribute *battr, char *buf, loff_t pos, size_t count) { struct module_sect_attr *sattr = container_of(battr, struct module_sect_attr, battr); + char bounce[MODULE_SECT_READ_SIZE + 1]; + size_t wrote; if (pos != 0) return -EINVAL; - return sprintf(buf, "0x%px\n", - kallsyms_show_value(file->f_cred) ? (void *)sattr->address : NULL); + /* + * Since we're a binary read handler, we must account for the + * trailing NUL byte that sprintf will write: if "buf" is + * too small to hold the NUL, or the NUL is exactly the last + * byte, the read will look like it got truncated by one byte. + * Since there is no way to ask sprintf nicely to not write + * the NUL, we have to use a bounce buffer. + */ + wrote = scnprintf(bounce, sizeof(bounce), "0x%px\n", + kallsyms_show_value(file->f_cred) + ? (void *)sattr->address : NULL); + count = min(count, wrote); + memcpy(buf, bounce, count); + + return count; } static void free_sect_attrs(struct module_sect_attrs *sect_attrs) @@ -1580,7 +1596,7 @@ static void add_sect_attrs(struct module *mod, const struct load_info *info) goto out; sect_attrs->nsections++; sattr->battr.read = module_sect_read; - sattr->battr.size = 3 /* "0x", "\n" */ + (BITS_PER_LONG / 4); + sattr->battr.size = MODULE_SECT_READ_SIZE; sattr->battr.attr.mode = 0400; *(gattr++) = &(sattr++)->battr; } -- 2.25.1