Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp5959313rwl; Mon, 9 Jan 2023 02:09:52 -0800 (PST) X-Google-Smtp-Source: AMrXdXsNYJ5H371UkxOmgOlshXP7UNsaEtjaJwv6Fe5dCXqwoWYox6FbTw1NG9R3yQ4MhNyQxirl X-Received: by 2002:a50:eac6:0:b0:461:d042:80db with SMTP id u6-20020a50eac6000000b00461d04280dbmr55256274edp.0.1673258992221; Mon, 09 Jan 2023 02:09:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673258992; cv=none; d=google.com; s=arc-20160816; b=lLGV3xRbwQ3cQGUnhElmBpCTq7MRETPgbqJdvK8yNeVjebVfP30/C1tZo74l99yji4 dvNbOxNasJtvmVW3NDi3JWIJuF4L710OMYT94cJzkLVRigdvzsRuSY4iXUIzDOjm87+6 f57gFFD7nZ8cisy6Dq9C1/my6vVeYKuSpllBXUJluy8l2nP1NvNpVHwCYDo3j9T7JngP rvEXLxcloGxjoYDNAv01jwRiaHeqnClcILJpENmrDr24RRC/NKKw/DjnahTepMnSjWbu iMakUJr5CmCZ3HAjUtLmowxvS7j2muC5sF8TH7IMaY1Rs67pW5zRppAeBthjBK9nYAtd 4nOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:subject:user-agent:mime-version:date:message-id; bh=vEND4xqxDGMxp+GOEOl3M+tc9O5RDNw5wO03dlunK4E=; b=mQ2rK5sQl18ju7AtyHlJofBlrmPttUGLgDAvp/PsIBfR1b3PJYzcZE803MYCpxAzbw jUpPxlPjtqmLgG3lqp1OACoewO4spJxWKcde4/IXfGtAd9RWvkfgJUL0M0N8TMErpSkT S09ky/jKnPdEllAJIlgM6Vnv7gcud5MPuAmBUpOwHnc3sx888vpFlcQFgYoPi5OncveV RuPuL19u9rpKjVx+mKiOu6XIsCKhqPMlvzFpg3xPsSwgaH11Tv5uh9U+eyi9pxpQamU3 W1E2MIq8kxsIe8wQCSoUpmhYgkx1ODytLwfBKPD4VWJeuJbccPyiYnAZMHSg6eYuHp1H SW/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d8-20020a50cd48000000b0048e64784ec8si8375262edj.72.2023.01.09.02.09.38; Mon, 09 Jan 2023 02:09:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234660AbjAIJhc (ORCPT + 54 others); Mon, 9 Jan 2023 04:37:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35956 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233436AbjAIJh2 (ORCPT ); Mon, 9 Jan 2023 04:37:28 -0500 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCA47645F for ; Mon, 9 Jan 2023 01:37:26 -0800 (PST) Received: from kwepemm600001.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4Nr82J5XXZz16Mgs; Mon, 9 Jan 2023 17:35:52 +0800 (CST) Received: from [10.174.176.245] (10.174.176.245) by kwepemm600001.china.huawei.com (7.193.23.3) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Mon, 9 Jan 2023 17:37:24 +0800 Message-ID: <54066d0e-ef50-183f-74fe-551bb99741eb@huawei.com> Date: Mon, 9 Jan 2023 17:37:23 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v2] kobject: Fix slab-out-of-bounds in fill_kobj_path() From: Wang Hai To: CC: , , , , , References: <20221220012143.52141-1-wanghai38@huawei.com> In-Reply-To: <20221220012143.52141-1-wanghai38@huawei.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.176.245] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600001.china.huawei.com (7.193.23.3) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2022/12/20 9:21, Wang Hai 写道: > In kobject_get_path(), if kobj->name is changed between calls > get_kobj_path_length() and fill_kobj_path() and the length becomes > longer, then fill_kobj_path() will have an out-of-bounds bug. > > The actual current problem occurs when the ixgbe probe. > > In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name > length becomes longer, out-of-bounds will occur. > > cpu0 cpu1 > ixgbe_probe > register_netdev(netdev) > netdev_register_kobject > device_add > kobject_uevent // Sending ADD events > systemd-udevd // rename netdev > dev_change_name > device_rename > kobject_rename > ixgbe_mii_bus_init | > mdiobus_register | > __mdiobus_register | > device_register | > device_add | > kobject_uevent | > kobject_get_path | > len = get_kobj_path_length // old name | > path = kzalloc(len, gfp_mask); | > kobj->name = name; > /* name length becomes > * longer > */ > fill_kobj_path /* kobj path length is > * longer than path, > * resulting in out of > * bounds when filling path > */ > > This is the kasan report: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 > Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 > > Workqueue: events work_for_cpu_fn > Call Trace: > > dump_stack_lvl+0x34/0x48 > print_address_description.constprop.0+0x86/0x1e7 > print_report+0x36/0x4f > kasan_report+0xad/0x130 > kasan_check_range+0x35/0x1c0 > memcpy+0x39/0x60 > fill_kobj_path+0x50/0xc0 > kobject_get_path+0x5a/0xc0 > kobject_uevent_env+0x140/0x460 > device_add+0x5c7/0x910 > __mdiobus_register+0x14e/0x490 > ixgbe_probe.cold+0x441/0x574 [ixgbe] > local_pci_probe+0x78/0xc0 > work_for_cpu_fn+0x26/0x40 > process_one_work+0x3b6/0x6a0 > worker_thread+0x368/0x520 > kthread+0x165/0x1a0 > ret_from_fork+0x1f/0x30 > > This reproducer triggers that bug: > > while: > do > rmmod ixgbe > sleep 0.5 > modprobe ixgbe > sleep 0.5 > > When calling fill_kobj_path() to fill path, if the name length of > kobj becomes longer, return failure and retry. This fixes the problem. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Wang Hai > --- Hi, greg k-h. Sorry to bother you. Can this patch be merged into the mainline? -- Wang Hai