Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp6028157rwl; Mon, 9 Jan 2023 03:19:21 -0800 (PST) X-Google-Smtp-Source: AMrXdXsUDTAeSf6Ly1P9/ewIlpBzmqCSWyvbcUa8KFzVKFrJ99tEhZmaPKdXuh9b/taiMhv6zkn1 X-Received: by 2002:a50:ec85:0:b0:492:8c77:7da9 with SMTP id e5-20020a50ec85000000b004928c777da9mr13274032edr.9.1673263161408; Mon, 09 Jan 2023 03:19:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673263161; cv=none; d=google.com; s=arc-20160816; b=Ou2NXG5a/p5h+UpU2RDFA+4k21Sd2GBhKGxUvvXdy+wBUpgUCs1x/cImjj2PCtYu6t 75vEaRluD20PtoT6OOc0Ygj7DOJ10oujYLW+ajv+CFherRvsbMzA85LmSuBii53ZTqSK X51XHm13KT8ljul3tzGikXsZLyR2VS+3qYfvA6iLQdNHmdBbVZfJS1ZCDekkOQNICdWy Ptcd9CfcCZ0+jra4nSAgEjB6mrm1oMy2V0KPqN8l5okISrYYSXipBhzA3m5VmMLr8tRy sr9UmBTMjl3ztenpbymZpfTNwrapu9vYCdbWwJJgg42lSBHV9WR7KD84oR8bEqHgWcDx RT8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=Ce105/w24kbr/NnpKUBn2a6FM6AMfYT9hj+fhfGNVmU=; b=it1x/v9dsWnGpC5qkuME3RuNAbXLSEPmPi7o8xS589E4PdvlwmqvugsD2EMYT9n0FU osUF+0g2GHyRJJiuXHyGDr1lt82YuVRUAvSRCTBikHaKYDBRAvqz1esoZDbdDB11gcm4 2poIeBYfK9y1ZWv/ER1Z1aUfk4RdqGZ2KjDIezBQZfwZDZNcvAEe/IFMLoA8hVUZGgY1 wCD2MWikYUSL1gZaN45AAJOYWz4fQPXxfY4lxvyZODl3Sce10QL8dNRBc4rodq4M12/h hAhsMZI4n88JbAvtGvIVGQAZnJS+O8a3Xxg3+wXrpR7ChAyEuyCa2NUyQE1rtP5MShzf XFIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r19-20020a056402035300b00483c6dd461esi8167842edw.203.2023.01.09.03.19.08; Mon, 09 Jan 2023 03:19:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234700AbjAILP5 (ORCPT + 53 others); Mon, 9 Jan 2023 06:15:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234271AbjAILPM (ORCPT ); Mon, 9 Jan 2023 06:15:12 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15838140E2 for ; Mon, 9 Jan 2023 03:15:09 -0800 (PST) Received: from kwepemm600001.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NrBC2219QznTXL; Mon, 9 Jan 2023 19:13:34 +0800 (CST) Received: from [10.174.176.245] (10.174.176.245) by kwepemm600001.china.huawei.com (7.193.23.3) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Mon, 9 Jan 2023 19:15:06 +0800 Message-ID: <6fcc6c81-96fb-112f-3aa9-3e2d58ecb2c8@huawei.com> Date: Mon, 9 Jan 2023 19:15:05 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v2] kobject: Fix slab-out-of-bounds in fill_kobj_path() To: Greg KH CC: , , , , , References: <20221220012143.52141-1-wanghai38@huawei.com> <54066d0e-ef50-183f-74fe-551bb99741eb@huawei.com> From: Wang Hai In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.176.245] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To kwepemm600001.china.huawei.com (7.193.23.3) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2023/1/9 18:33, Greg KH 写道: > On Mon, Jan 09, 2023 at 05:37:23PM +0800, Wang Hai wrote: >> 在 2022/12/20 9:21, Wang Hai 写道: >>> In kobject_get_path(), if kobj->name is changed between calls >>> get_kobj_path_length() and fill_kobj_path() and the length becomes >>> longer, then fill_kobj_path() will have an out-of-bounds bug. >>> >>> The actual current problem occurs when the ixgbe probe. >>> >>> In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name >>> length becomes longer, out-of-bounds will occur. >>> >>> cpu0 cpu1 >>> ixgbe_probe >>> register_netdev(netdev) >>> netdev_register_kobject >>> device_add >>> kobject_uevent // Sending ADD events >>> systemd-udevd // rename netdev >>> dev_change_name >>> device_rename >>> kobject_rename >>> ixgbe_mii_bus_init | >>> mdiobus_register | >>> __mdiobus_register | >>> device_register | >>> device_add | >>> kobject_uevent | >>> kobject_get_path | >>> len = get_kobj_path_length // old name | >>> path = kzalloc(len, gfp_mask); | >>> kobj->name = name; >>> /* name length becomes >>> * longer >>> */ >>> fill_kobj_path /* kobj path length is >>> * longer than path, >>> * resulting in out of >>> * bounds when filling path >>> */ >>> >>> This is the kasan report: >>> >>> ================================================================== >>> BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 >>> Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 >>> >>> Workqueue: events work_for_cpu_fn >>> Call Trace: >>> >>> dump_stack_lvl+0x34/0x48 >>> print_address_description.constprop.0+0x86/0x1e7 >>> print_report+0x36/0x4f >>> kasan_report+0xad/0x130 >>> kasan_check_range+0x35/0x1c0 >>> memcpy+0x39/0x60 >>> fill_kobj_path+0x50/0xc0 >>> kobject_get_path+0x5a/0xc0 >>> kobject_uevent_env+0x140/0x460 >>> device_add+0x5c7/0x910 >>> __mdiobus_register+0x14e/0x490 >>> ixgbe_probe.cold+0x441/0x574 [ixgbe] >>> local_pci_probe+0x78/0xc0 >>> work_for_cpu_fn+0x26/0x40 >>> process_one_work+0x3b6/0x6a0 >>> worker_thread+0x368/0x520 >>> kthread+0x165/0x1a0 >>> ret_from_fork+0x1f/0x30 >>> >>> This reproducer triggers that bug: >>> >>> while: >>> do >>> rmmod ixgbe >>> sleep 0.5 >>> modprobe ixgbe >>> sleep 0.5 >>> >>> When calling fill_kobj_path() to fill path, if the name length of >>> kobj becomes longer, return failure and retry. This fixes the problem. >>> >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") >>> Signed-off-by: Wang Hai >>> --- >> Hi, greg k-h. >> Sorry to bother you. Can this patch be merged into the mainline? > It's in my "to review" queue that I am working on. As this is not > anything that a normal user can trigger, it's not that high of a > priority, right? > > thanks, > > greg k-h > . Thanks, I thought you had forgotten about it. I hope I'm not disturbing you. -- Wang Hai