Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp2675393rwj; Mon, 19 Dec 2022 07:32:38 -0800 (PST) X-Google-Smtp-Source: AA0mqf6MNFPgIhd65qp55KSsTAMoy4d6c5PQWFpvL3AJ4mKagYWo0eiGZI8bsLiyANy1YCU/BqI0 X-Received: by 2002:a17:907:2b15:b0:7c1:5b5e:4d86 with SMTP id gc21-20020a1709072b1500b007c15b5e4d86mr24680407ejc.36.1671463958130; Mon, 19 Dec 2022 07:32:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671463958; cv=none; d=google.com; s=arc-20160816; b=zxkYV6FymcN3BkYuygEWKI3IjN5+Fmq83O6EfMAPKIH3Ydf8rru3DkObnDOiigHI/f 3tjtOWZ2rE8PZCI4AJmItE2IBA0tNIHK/OKCStJVqTdShmvXdtUbi0ilYXhoQMbNQ79M 0mrKV1b6BvmmJQzeyNEVEpLB11XpnIilxkbTeFm1XrneHVeg7mLeKfP8H7pliegbX3KW CVGUREGtmh0+ls61x/DcOGJF9YRAJyInI+xiKmNs2FUmUuw0BSX+t2nAwr8m/Z54rcpv YDucmQRLeqsIfs/zp3swx6Ecu2U6+dK37RJ1lsFSjIRNx49KEfV12iz+WEBmU7eyQDAf JTLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=4c3m7qH19kxiaDGms1GWkZ7YP9QZsDpD9mbMOZeVJTU=; b=JtGp4cLauqYz9QiIcPij+urVLDeTuh/k6IU2nrYH0dEmg4TpRm3rWwIvaqoz1Kqa50 EkCLSWIraSqByWquif+hEHQ4/DD5bEczpa+Cv6ptOSFSkiXqCuLumq1vgdWGgIjfytKb ORGlPtD2AFr/elVaqNR6LoR0vZru/tJf7X0G3h1cXs916TPy2dFk9dufLKGkc7V35Xmp 7wbqApw6j+oDcjxBgUg2d4kqmVTlpXgQ8PChiP515fO3vodIWOIczQ6sZZOL+o/2BfnW 2MkiYYXKUqtTL20OLGiQP6QJ3TyN3LYHp+ZDGJ4vfsqR/5b5SEMpBUv3kXPlkdrOWg0j Yi9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lKeIoCzO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sd34-20020a1709076e2200b007824b85978asi10377888ejc.81.2022.12.19.07.32.21; Mon, 19 Dec 2022 07:32:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lKeIoCzO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231924AbiLSO6k (ORCPT + 71 others); Mon, 19 Dec 2022 09:58:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232376AbiLSO6N (ORCPT ); Mon, 19 Dec 2022 09:58:13 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15E295F49 for ; Mon, 19 Dec 2022 06:54:46 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BE19BB80DF2 for ; Mon, 19 Dec 2022 14:54:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D1EDCC433EF; Mon, 19 Dec 2022 14:54:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1671461683; bh=wOJC6lzxLzI4/rdLQoX0fj3Ksu94I8e0ImMBtduC86U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lKeIoCzOzLDSDGz8TK0g93ZGEpDjeOoqy1+37bMZ+6z1ZvGd3SSHWe0Pa2AstHKTR kFzDZ8YIZn6l3A6+SajUK3if1OhDH/+BlBoSeFBw6hzIQg6ZwQlfdw/MY5bPjntKeu 8zLAMrbmhD5FcxlQd7jeitlZ7pkWh98yMcOnqkC8= Date: Mon, 19 Dec 2022 15:54:40 +0100 From: Greg KH To: Wang Hai , Alice Chao Cc: rafael@kernel.org, jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com, intel-wired-lan@lists.osuosl.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] kobject: Fix slab-out-of-bounds in fill_kobj_path() Message-ID: References: <20221219144103.34789-1-wanghai38@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221219144103.34789-1-wanghai38@huawei.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 19, 2022 at 10:41:03PM +0800, Wang Hai wrote: > In kobject_get_path(), if kobj->name is changed between calls > get_kobj_path_length() and fill_kobj_path() and the length becomes > longer, then fill_kobj_path() will have an out-of-bounds bug. > > The actual current problem occurs when the ixgbe probe. > > In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name > length becomes longer, out-of-bounds will occur. > > cpu0 cpu1 > ixgbe_probe > register_netdev(netdev) > netdev_register_kobject > device_add > kobject_uevent // Sending ADD events > systemd-udevd // rename netdev > dev_change_name > device_rename > kobject_rename > | > ixgbe_mii_bus_init | > mdiobus_register | > __mdiobus_register | > device_register | > device_add | > kobject_uevent | > kobject_get_path | > len = get_kobj_path_length // old name | > path = kzalloc(len, gfp_mask); | > kobj->name = name; > /* name length becomes > * longer > */ > fill_kobj_path /* kobj path length is > * longer than path, > * resulting in out of > * bounds when filling path > */ > > This is the kasan report: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 > Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 > > Workqueue: events work_for_cpu_fn > Call Trace: > > dump_stack_lvl+0x34/0x48 > print_address_description.constprop.0+0x86/0x1e7 > print_report+0x36/0x4f > kasan_report+0xad/0x130 > kasan_check_range+0x35/0x1c0 > memcpy+0x39/0x60 > fill_kobj_path+0x50/0xc0 > kobject_get_path+0x5a/0xc0 > kobject_uevent_env+0x140/0x460 > device_add+0x5c7/0x910 > __mdiobus_register+0x14e/0x490 > ixgbe_probe.cold+0x441/0x574 [ixgbe] > local_pci_probe+0x78/0xc0 > work_for_cpu_fn+0x26/0x40 > process_one_work+0x3b6/0x6a0 > worker_thread+0x368/0x520 > kthread+0x165/0x1a0 > ret_from_fork+0x1f/0x30 > > This reproducer triggers that bug: > > while: > do > rmmod ixgbe > sleep 0.5 > modprobe ixgbe > sleep 0.5 > > When calling fill_kobj_path() to fill path, if the name length of > kobj becomes longer, return failure and retry. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Wang Hai > --- > lib/kobject.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) Nice find, and a much better description than was reported here: https://lore.kernel.org/all/20221216031320.2634-1-alice.chao@mediatek.com/ Alice, does this patch resolve your problem as well? > > diff --git a/lib/kobject.c b/lib/kobject.c > index a0b2dbfcfa23..d129f437b200 100644 > --- a/lib/kobject.c > +++ b/lib/kobject.c > @@ -112,7 +112,7 @@ static int get_kobj_path_length(struct kobject *kobj) > return length; > } > > -static void fill_kobj_path(struct kobject *kobj, char *path, int length) > +static bool fill_kobj_path(struct kobject *kobj, char *path, int length) Just return an int and an error value, bool isn't a normal return value, right? > { > struct kobject *parent; > > @@ -121,12 +121,16 @@ static void fill_kobj_path(struct kobject *kobj, char *path, int length) > int cur = strlen(kobject_name(parent)); > /* back up enough to print this name with '/' */ > length -= cur; > + if (length < 0) > + return false; Return -EINVAL or something? What if length ends up 0 here, is that going to be ok? > memcpy(path + length, kobject_name(parent), cur); > *(path + --length) = '/'; > } > > pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj), > kobj, __func__, path); > + > + return true; return 0; > } > > /** > @@ -140,14 +144,20 @@ char *kobject_get_path(struct kobject *kobj, gfp_t gfp_mask) > { > char *path; > int len; > + bool ret; No need for this variable > > +retry: > len = get_kobj_path_length(kobj); > if (len == 0) > return NULL; > path = kzalloc(len, gfp_mask); > if (!path) > return NULL; > - fill_kobj_path(kobj, path, len); > + ret = fill_kobj_path(kobj, path, len); > + if (!ret) { Make this one line: if (fill_kobj_path(kobj, path, len)) { But, you now have a loop, what guarantees that you can get out of it? thanks, greg k-h