Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1353159iog; Tue, 14 Jun 2022 04:34:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWzzm9VQMKZyW9tAnWy3u6eAYlFFKzfAPgPgDW2XW+T+9IgZAgPC/CLl1vQVZC6u/oyMn8 X-Received: by 2002:aa7:c054:0:b0:433:2d3b:10ed with SMTP id k20-20020aa7c054000000b004332d3b10edmr5454870edo.211.1655206463632; Tue, 14 Jun 2022 04:34:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655206463; cv=none; d=google.com; s=arc-20160816; b=EMe4jxIK3n1Sq82Crs2VTez4bGrPHFNIHjsn3bvKJnCIqFaTnFJ4gvtlgguf97zvr+ uRTla9YwhpZ24JMNAYOLeydV81zCiay33Gz/9gFnHioT/rBFcPwqn6QZnv/FFjL9vaaG WghG9Fb+9Dq99Sxv9uEPTz6g702Fo9Rjk616JSCquDgiJ0rZD6WCYe2dAasDunUhjPdd jfjeRmmcDZEdp9biLVZPdh2d/OK9dOMssiP4sR64mLxy57uXT+us9vppGNTx+4R6gqRQ QtzLu2Mayap4jxWyTPE6XILyVyLydilykTKEOzdM+XaBv+ijyjvusC442fFOpHco/uye UHcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=S+jzz+wDeocZkdWT7tXReyRdid3XzqDtpe0QKslAzBY=; b=LPgarRU4G1hELN+1XgBA2Xj+RVMD64Yj/O0POJ7gOzNf/HHz2ELmLOi3puMeJLxPk5 X760OMrz6U2nmY260qClM+cZVSCQ0vdGmNMP49Hj+rVAmTa9gt+/Q0XqoWiv4U/JYNPz A07gpmHS1sPIzdqLwPzsJnULRRfUstM8n849WemLMB2euGMjkLdCyUEDhI+yJ3N4ANvE hs/bVKv610taoeaRuRxzoweHoLPpBZnhVLWlokeayba8IMieK9NePZj5jEiWNmsf4yOx VlbQHYpY5z41hgID+0jU+24YcwfA6MHmLKUnSGL7mt+XEaUifMSl+Rnwrs56RAOYdTOm mE/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KGK1afYY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id fc19-20020a1709073a5300b007121c1dc158si8410145ejc.518.2022.06.14.04.33.56; Tue, 14 Jun 2022 04:34:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KGK1afYY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356199AbiFNLIL (ORCPT + 99 others); Tue, 14 Jun 2022 07:08:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356247AbiFNLIE (ORCPT ); Tue, 14 Jun 2022 07:08:04 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 18974BF6A for ; Tue, 14 Jun 2022 04:07:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1655204870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S+jzz+wDeocZkdWT7tXReyRdid3XzqDtpe0QKslAzBY=; b=KGK1afYYnCC1w7uhGmyn1G9A/7UZX7MYwHlO7q0MlLwnWsInMoZl01v5vYPJyHK1TYygGz AI8xQkcCRXA+qnUH3jGKqQk7LJSU+Pon0tp6d9sTXCxxjpiS5StEBunyvS7FuJi/oT17Ow nPqFUVPns1UBlYBoTEH0ka1vKuEDCOU= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-450-rcgcsVfJPGakS04zscnwWg-1; Tue, 14 Jun 2022 07:07:48 -0400 X-MC-Unique: rcgcsVfJPGakS04zscnwWg-1 Received: by mail-qt1-f200.google.com with SMTP id 9-20020ac85749000000b00304ee787b02so6320467qtx.11 for ; Tue, 14 Jun 2022 04:07:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=S+jzz+wDeocZkdWT7tXReyRdid3XzqDtpe0QKslAzBY=; b=D8eSKMJ93t0gpMiqg1+1Wubs1oMchtFZSu5Q2YP5YLfWZf+Ft73VtzEIqm0Ou+Bq7f OSY1zWGC8jJwZ3RTB4Mj+SI/QLn1ZMZvn4fxhH/TyHhsfL5GL5JHr5yvZOpxTdRhUhAc xD+6/OKozEvTO9vx3yaAQM7iPgJLyKwEm1YUH4MhCcx5LpKodB/C4Ceb/OE34O4wOJo6 Vvz7jAz958nHcibelsWb7iPG+m+oHebfz0yCqvJKlVs+TZAuZsj/g+MU6iRA8ZWPhvxU TdB/bWnGIyokNIKfceOKDmRkVTgzm1FDNLh7LwKkYqGVbSEXiuNq9kkH3mjtlD05Ht1H M0QQ== X-Gm-Message-State: AOAM5326Sb7ytIEz33KwV9EIBRooUcjzbeuRg4cI2oHHo2uyJmqvhsGr bafjRuQZ5r3x9fl2YEQZVHxWG7F8W1v0F1tFqN9fK5EwTXa0hQOlPmr1tL4EnYwX9nmPhvAgU8l 7yXuWmOJVbcy5aB65ZVuB8m/4 X-Received: by 2002:a37:a9c4:0:b0:6a6:8992:e400 with SMTP id s187-20020a37a9c4000000b006a68992e400mr3353382qke.494.1655204868309; Tue, 14 Jun 2022 04:07:48 -0700 (PDT) X-Received: by 2002:a37:a9c4:0:b0:6a6:8992:e400 with SMTP id s187-20020a37a9c4000000b006a68992e400mr3353365qke.494.1655204867985; Tue, 14 Jun 2022 04:07:47 -0700 (PDT) Received: from gerbillo.redhat.com (146-241-113-202.dyn.eolo.it. [146.241.113.202]) by smtp.gmail.com with ESMTPSA id t4-20020a05622a01c400b00304ef50af9fsm7313181qtw.2.2022.06.14.04.07.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Jun 2022 04:07:47 -0700 (PDT) Message-ID: <62319ec578f469ff2c39aa6559fd945ba937726c.camel@redhat.com> Subject: Re: [PATCH] hamradio: 6pack: fix array-index-out-of-bounds in decode_std_command() From: Paolo Abeni To: Xu Jia , linux-hams@vger.kernel.org Cc: ajk@comnets.uni-bremen.de, davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 14 Jun 2022 13:07:44 +0200 In-Reply-To: <1655112337-48005-1-git-send-email-xujia39@huawei.com> References: <1655112337-48005-1-git-send-email-xujia39@huawei.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2022-06-13 at 17:25 +0800, Xu Jia wrote: > Hulk Robot reports incorrect sp->rx_count_cooked value in decode_std_command(). > This should be caused by the subtracting from sp->rx_count_cooked before. > It seems that sp->rx_count_cooked value is changed to 0, which bypassed the > previous judgment. > sp->rx_count_cooked is a shared variable but is not protected by a lock. It's not clear to me how multiple process could access it concurrently, could you please elaborate more? > The same applies to sp->rx_count. This patch adds a lock to fix the bug. > > The fail log is shown below: > ======================================================================= > UBSAN: array-index-out-of-bounds in drivers/net/hamradio/6pack.c:925:31 > index 400 is out of range for type 'unsigned char [400]' > CPU: 3 PID: 7433 Comm: kworker/u10:1 Not tainted 5.18.0-rc5-00163-g4b97bac0756a #2 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 > Workqueue: events_unbound flush_to_ldisc > Call Trace: > > dump_stack_lvl+0xcd/0x134 > ubsan_epilogue+0xb/0x50 > __ubsan_handle_out_of_bounds.cold+0x62/0x6c > sixpack_receive_buf+0xfda/0x1330 > tty_ldisc_receive_buf+0x13e/0x180 > tty_port_default_receive_buf+0x6d/0xa0 > flush_to_ldisc+0x213/0x3f0 > process_one_work+0x98f/0x1620 > worker_thread+0x665/0x1080 > kthread+0x2e9/0x3a0 > ret_from_fork+0x1f/0x30 > ... > > Reported-by: Hulk Robot > Signed-off-by: Xu Jia > --- > drivers/net/hamradio/6pack.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c > index 45c3c4a..194f22f 100644 > --- a/drivers/net/hamradio/6pack.c > +++ b/drivers/net/hamradio/6pack.c > @@ -100,6 +100,8 @@ struct sixpack { > unsigned int rx_count; > unsigned int rx_count_cooked; > > + spinlock_t rxlock; > + > int mtu; /* Our mtu (to spot changes!) */ > int buffsize; /* Max buffers sizes */ > > @@ -565,6 +567,7 @@ static int sixpack_open(struct tty_struct *tty) > sp->dev = dev; > > spin_lock_init(&sp->lock); > + spin_lock_init(&sp->rxlock); > refcount_set(&sp->refcnt, 1); > init_completion(&sp->dead); > > @@ -913,6 +916,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd) > sp->led_state = 0x60; > /* fill trailing bytes with zeroes */ > sp->tty->ops->write(sp->tty, &sp->led_state, 1); > + spin_lock(&sp->rxlock); > rest = sp->rx_count; > if (rest != 0) > for (i = rest; i <= 3; i++) > @@ -930,6 +934,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd) > sp_bump(sp, 0); > } > sp->rx_count_cooked = 0; > + spin_unlock(&sp->rxlock); It looks like 'sp->rx_count' and 'sp->rx_count_cooked' are touched also in decode_data(). Do we need to protect such accesses, too? Thanks! Paolo