Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp307831pxu; Thu, 7 Jan 2021 05:42:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJwcTAzgSDdjFgII/l+pT9vHZdxBSZHaK05k2LIDaQ6tc2y04aXg8cbFwuG4sgmk0ghg+SOS X-Received: by 2002:a17:906:3fc4:: with SMTP id k4mr6162730ejj.137.1610026958726; Thu, 07 Jan 2021 05:42:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610026958; cv=none; d=google.com; s=arc-20160816; b=LRY9C27ibl+9WgXl482GvgURDWIm2z1qxY2wslm/5KxhYaRNLcnb+Gp2WA8py5KbBK 0UuoZlmQ6k9W7vA03Rzybp0YvZOgYh9lf0RTmKAi49AlzREF5nULolSBbgLdRArnIFOo owdlOiVEwvV0zm6w0O/EK/3wz7A8QIkWHE+8HE13y+eeILwIJ73J9qoAdLkwUydbEyAr KmlBXJJ6BpwLC00qsrUxc3pra5u15xreFU6WTy7noYVBHClL1fAmLhVfov3pWS4o6/x6 OeFW8Q3DVZ0v+XNSyOhm+qJAeEdQeUr/BsEC7G9oUx0eSopMCq0H51Rg53GcJHUQkSVA AOfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=oHAKwH9vSA8AdCN9U8+YV/5eT7vno7k7DP5s7UpkfBg=; b=TZzYtB6RXpGK7LR98xrgAYZhQvElQLej0N+lhfnV1axELsL1SjBtFmNztg5mxqqt77 MccPVC0nmGA+JWRnEch3CKdh2jsJQT35KQp8tFD1K2YIpU79WBuPHgEugjbleiFL7rKG 2oraMUuVgOGAVtDcyc+HkF5aUIHId4yG7QiyCHFAFojAgV4uwIbMPxRQW1K11TtjaQDq O2lRKx2ROULBHEeIfEb2lL79YlvNTkhIAEziZjCdDnr/ccIDvCx8rdTFX0RljhUTgHrM lXhe/66avbxWYKs9U90JsoHiSW4u8nXCuLeVuYk7azQ+6PBD45OhG2AuCyTOU7+9gDC1 ot9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ILYsePsM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t19si2250991edt.283.2021.01.07.05.42.14; Thu, 07 Jan 2021 05:42:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ILYsePsM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728371AbhAGNkl (ORCPT + 99 others); Thu, 7 Jan 2021 08:40:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726326AbhAGNkl (ORCPT ); Thu, 7 Jan 2021 08:40:41 -0500 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC205C0612F4; Thu, 7 Jan 2021 05:40:00 -0800 (PST) Received: by mail-pg1-x52a.google.com with SMTP id n7so4867735pgg.2; Thu, 07 Jan 2021 05:40:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=oHAKwH9vSA8AdCN9U8+YV/5eT7vno7k7DP5s7UpkfBg=; b=ILYsePsM8H1Vk3NA2Rgig07+0vr1Bf45DH7Yeifbhij3qlF3BkhC9x9pYjc+9VszqK Lq82wjwebEOBpNHoGGfgoyT4xrpbp1+xOvMW9dRos6xT/iArW024RRANP9QJXyasLoW3 BmELKZMNl3erkAnM6A412pCyWPGWL7KwB0/4M55fHSEp759spG9k8veZoDKxqE/b9+PD n4y9aWjKuAHOpdyIXXlHnxutUu2WFHfA7oSL90LtSk9FYSvaDxdaYmBlIPkoSAZny1QX pSKQAeCp98/lffvD5KNxrv6lSqsOx4/Tz1XMEIR1NJ1kTGlyshM4VmM9r+PJd8lETT57 vEfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=oHAKwH9vSA8AdCN9U8+YV/5eT7vno7k7DP5s7UpkfBg=; b=CdrpYWdVnAdi/X+Bq0hHDYknUrH1UVBlX9en0bazRhy4ppgJQXsvwO9C28n8D8WT67 y3mHQxogUeB/sGLriJG00jFhlbLVDvXnEsbW2/n+do2txkMKljVC6ex7Fj0XTZUGHnDS EiLwalO00atlyzaBflo4jvzzyoPkoGLW3k1QH3vYk67IDPKwGZIvVw+PYmGTM2aXfJgF +vWcIETaCpIlgYp8oP4A74Z+iVPxqL5sFjLFSP7n88LDqi8wIhkAdylKOqAMAghvHeDl ThjZZWZ2texGO46KfCKF0UdR7Skm16PmldkQYeaH1tzJiKgyWp0ysNIKgM5aCg1Tu6I5 RNHQ== X-Gm-Message-State: AOAM53025HmwGbNxEmCWQF1PhfZppsaeCOVcLjlyKKs9xgpneXciC1Dw c20jliy5ErlKmDZN0MngSkyqUAAwSqkCWxX+ngU= X-Received: by 2002:a05:6a00:8c7:b029:19d:afa5:34e5 with SMTP id s7-20020a056a0008c7b029019dafa534e5mr9076108pfu.30.1610026800319; Thu, 07 Jan 2021 05:40:00 -0800 (PST) Received: from ?IPv6:2405:201:9004:69cd:a39f:75ee:d9e7:25d7? ([2405:201:9004:69cd:a39f:75ee:d9e7:25d7]) by smtp.gmail.com with ESMTPSA id a1sm5733114pfo.56.2021.01.07.05.39.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Jan 2021 05:39:59 -0800 (PST) Subject: Re: [PATCH] ACPI: scan: Fix a Hyper-V Linux VM panic caused by buffer overflow To: decui@microsoft.com, linux-acpi@vger.kernel.org, rjw@rjwysocki.net, len.brown@intel.com, mikelley@microsoft.com Cc: linux-kernel@vger.kernel.org, wei.liu@kernel.org, sthemmin@microsoft.com, haiyangz@microsoft.com, kys@microsoft.com References: <20201218040826.57203-1-decui@microsoft.com> From: Dwaipayan Ray Message-ID: <42a039e8-d31e-9f17-bfe6-6a50968688db@gmail.com> Date: Thu, 7 Jan 2021 19:09:53 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <20201218040826.57203-1-decui@microsoft.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 18/12/20 9:38 am, Dexuan Cui wrote: > Linux VM on Hyper-V crashes with the latest mainline: > > [ 4.069624] detected buffer overflow in strcpy > [ 4.077733] kernel BUG at lib/string.c:1149! > .. > [ 4.085819] RIP: 0010:fortify_panic+0xf/0x11 > ... > [ 4.085819] Call Trace: > [ 4.085819] acpi_device_add.cold.15+0xf2/0xfb > [ 4.085819] acpi_add_single_object+0x2a6/0x690 > [ 4.085819] acpi_bus_check_add+0xc6/0x280 > [ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa > [ 4.085819] acpi_walk_namespace+0x9a/0xc2 > [ 4.085819] acpi_bus_scan+0x78/0x90 > [ 4.085819] acpi_scan_init+0xfa/0x248 > [ 4.085819] acpi_init+0x2c1/0x321 > [ 4.085819] do_one_initcall+0x44/0x1d0 > [ 4.085819] kernel_init_freeable+0x1ab/0x1f4 > > This is because of the recent buffer overflow detection in the > commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in fortified string functions") > > Here acpi_device_bus_id->bus_id can only hold 14 characters, while the > the acpi_device_hid(device) returns a 22-char string > "HYPER_V_GEN_COUNTER_V1". > > Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a > string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8 > chars. > > The field bus_id in struct acpi_device_bus_id was originally defined as > char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the > commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI devices") > > It looks like so far an ID string of >=15 chars is only seen in the guest > BIOS/firmware by Hyper-V, and AFAIK the ID string "HYPER_V_GEN_COUNTER_V1" > is never used by Linux VM on Hyper-V, so let's just truncate the string to > fix the panic. > > Signed-off-by: Dexuan Cui > --- > drivers/acpi/scan.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c > index a1b226eb2ce2..b801442b6b1b 100644 > --- a/drivers/acpi/scan.c > +++ b/drivers/acpi/scan.c > @@ -674,7 +674,8 @@ int acpi_device_add(struct acpi_device *device, > } > if (!found) { > acpi_device_bus_id = new_bus_id; > - strcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device)); > + strlcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device), > + sizeof(acpi_device_bus_id->bus_id)); Please prefer strscpy() over strlcpy(): + strscpy(acpi_device_bus_id->bus_id, acpi_device_hid(device), + sizeof(acpi_device_bus_id->bus_id)); See: https://lore.kernel.org/lkml/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ Thanks, Dwaipayan. > acpi_device_bus_id->instance_no = 0; > list_add_tail(&acpi_device_bus_id->node, &acpi_bus_id_list); > }