Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E86CDC61DA4 for ; Thu, 9 Mar 2023 11:08:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231453AbjCILIH (ORCPT ); Thu, 9 Mar 2023 06:08:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229803AbjCILHl (ORCPT ); Thu, 9 Mar 2023 06:07:41 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 808ADF365A for ; Thu, 9 Mar 2023 03:01:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3D72861AF9 for ; Thu, 9 Mar 2023 11:01:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3803DC433D2; Thu, 9 Mar 2023 11:01:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1678359689; bh=jyR9pfHa/ZnTyp/+QtHQc9KxqfPwuE+StoZqEfZz4fo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IvjhvO309IcPa7xZlH3HHL0YTFlQZ4SVKdbxGU+0W7whJtFoeghYw88VzPMcdIfPQ w5joOAGnlV5Ujbu0pE+6v1hGptN6OMT+kWFernLG7uqnZuSSkoxeVWZNvEn4oCUVUC ntzBXAkNutWxg5uI20pgnLTzv39NwIMjpbtnnTjo= Date: Thu, 9 Mar 2023 12:01:24 +0100 From: Greg KH To: Xia Fukun Cc: prajnoha@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] kobject: Fix global-out-of-bounds in kobject_action_type() Message-ID: References: <20230308035930.54107-1-xiafukun@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230308035930.54107-1-xiafukun@huawei.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 08, 2023 at 11:59:30AM +0800, Xia Fukun wrote: > The following c language code can trigger KASAN's global variable > out-of-bounds access error in kobject_action_type(): > > int main() { > int fd; > char *filename = "/sys/block/ram12/uevent"; > char str[86] = "offline"; > int len = 86; > > fd = open(filename, O_WRONLY); > if (fd == -1) { > printf("open"); > exit(1); > } > > if (write(fd, str, len) == -1) { > printf("write"); > exit(1); > } > > close(fd); > return 0; > } > > Function kobject_action_type() receives the input parameters buf and count, > where count is the length of the string buf. > > In the use case we provided, count is 86, the count_first is 85. > Buf points to a string with a length of 86, and its first seven > characters are "offline". > In line 87 of the code, kobject_actions[action] is the string "offline" > with the length of 7,an out-of-boundary access will appear: > > kobject_actions[action][85]. > > Modify the judgment logic in line 87. If the length of the string > kobject_actions[action] is greater than count_first(e.g. buf is "off", > count is 3), continue the loop. > Otherwise, the match is considered successful. > > This change means that our test case will be successfully parsed as an > offline event and no out-of-bounds access error will occur. > > Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") > Signed-off-by: Xia Fukun > --- > v1 -> v2: > - modify the matching logic I see 2 v2 patches in my queue, with no way to tell which one is correct. Please fix up and send a v3. thanks, greg k-h