Received: by 2002:a05:7412:518d:b0:e2:908c:2ebd with SMTP id fn13csp350923rdb; Thu, 5 Oct 2023 07:48:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHod3z13fdZUlrVhyYaLZPF87CL9BpHmy3pRtBrOtQn9FH0O9i4DhUHZtFeEKpcX3e3jVgU X-Received: by 2002:a17:902:a504:b0:1c3:308b:ecb9 with SMTP id s4-20020a170902a50400b001c3308becb9mr4954389plq.11.1696517285995; Thu, 05 Oct 2023 07:48:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696517285; cv=none; d=google.com; s=arc-20160816; b=KEnFl818/c7APkJ/FuQh2RDati4iQFkI4TGFUavrb85CP54J2PMXsI/LBqFmACEjmo Ll/NMHRVADx05WJYlWM4xWPYmBbeYl/2vRCzTZcYv/y2ySHIUsdCOTBtdFOgoz25Qo/a YvYhYuxnlM9US3icHSX4aP+m5q53TzeqEt72KDAuLJKatLjC//7fGEQCnubjJNOyin66 V/bonc3D7xke9LMYrJkdNNpy6yo0r6S1kTTqpWYfheonVM7csmhz2FrYT+aqfw9O2KVu Rago6OWu0QVrXW3UIOoHPMs2XFt9NlCzDFIIovJ0IG9Scfde6yAcvY4ihjqYcuaXy3t+ eDKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jf4iTnfuvJlwb3rpfWq7tD+KWYxqMtPzs6b+rha1SMg=; fh=P4cLO2+NbYdKdrP84BGVpuI7UYZYRLVjIK5PQfOWLsU=; b=gnOA3euBgZVHUDt/wkAOi6BmtQAGsKFlIYcsM/7319ScP0uyT86Qs+yxUHLfNvClui HELlUnMh/HQQFUM02r7cHpnpDiFfGwrddgF61w2Zsne9jZ1u1AjE8us46LN/7LDQYM6d PpXBcPTLZlLLHfwdFSVXxHlM2nMAH8flzaklt5GtKw/VaWgKG1JnvDXEge644Yl1ldOd PFb8rDHVKfd4dwa5+xiVxARHcnT8ey2NfTAJYXY8m2IrKVFJUj+SQlwS88DW8aGO00Yn e+vq6zTys/3DqzQ36Wbnykia9aS7Xj5gIcuuZHdI9HVkpYgyzQuPimIEg4jplE0w+aZV 3dWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lIzoqeBQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id n6-20020a170902d2c600b001b8a4954be1si1775219plc.595.2023.10.05.07.48.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 07:48:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lIzoqeBQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 83527867FEB8; Thu, 5 Oct 2023 07:47:05 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238629AbjJEOq0 (ORCPT + 99 others); Thu, 5 Oct 2023 10:46:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239168AbjJEOlx (ORCPT ); Thu, 5 Oct 2023 10:41:53 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3D9C87238 for ; Thu, 5 Oct 2023 07:17:36 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 03517C32778; Thu, 5 Oct 2023 11:48:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1696506483; bh=IkhOtidzH+64ogOKIAsCEwo9wFFhyaMvN89vzlkDkXw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lIzoqeBQdTnHdX3ExaidTTaxCQautKMKcHdEeftu9MGo/k5tbTTEHubJbIxTPNKkj rqgBazlMaYOYF/zi/q89wDFkjpr+LAcUGtPUvdscRvGpLvNR+xKfxIU0tIY4i5FRKP MdWLzk+4fsIh7UMskrR89fIpZ2R4ztblG/pRBL7g= Date: Thu, 5 Oct 2023 13:48:00 +0200 From: Greg KH To: Xia Fukun Cc: prajnoha@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v7] kobject: Fix global-out-of-bounds in kobject_action_type() Message-ID: <2023100512-groom-diameter-eda0@gregkh> References: <20230518091614.137522-1-xiafukun@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230518091614.137522-1-xiafukun@huawei.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 05 Oct 2023 07:47:05 -0700 (PDT) On Thu, May 18, 2023 at 05:16:14PM +0800, Xia Fukun wrote: > The following c language code can trigger KASAN's global variable > out-of-bounds access error in kobject_action_type(): > > int main() { > int fd; > char *filename = "/sys/block/ram12/uevent"; > char str[86] = "offline"; > int len = 86; > > fd = open(filename, O_WRONLY); > if (fd == -1) { > printf("open"); > exit(1); > } > > if (write(fd, str, len) == -1) { > printf("write"); > exit(1); > } > > close(fd); > return 0; > } > > Function kobject_action_type() receives the input parameters buf and count, > where count is the length of the string buf. > > In the use case we provided, count is 86, the count_first is 85. > Buf points to a string with a length of 86, and its first seven characters > are "offline". In the for loop, kobject_actions[action] is the string > "offline" with the length of 7,an out-of-boundary access will appear: > > kobject_actions[action][85]. > > Use sysfs_match_string() to replace the fragile and convoluted loop. > This function is well-tested for parsing sysfs inputs. Moreover, this > modification will not cause any functional changes. > > Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") > Signed-off-by: Xia Fukun > --- > v6 -> v7: > - Move macro UEVENT_KACT_STRSIZE to the .c file to > improve maintainability. > > v5 -> v6: > - Ensure that the following extensions remain effective: > https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-uevent > > v4 -> v5: > - Fixed build errors and warnings, and retested the patch. > > v3 -> v4: > - Refactor the function to be more obviously correct and readable. > --- > lib/kobject_uevent.c | 38 +++++++++++++++++++++++++------------- > 1 file changed, 25 insertions(+), 13 deletions(-) > > diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c > index 7c44b7ae4c5c..2171e1648dad 100644 > --- a/lib/kobject_uevent.c > +++ b/lib/kobject_uevent.c > @@ -47,6 +47,14 @@ static LIST_HEAD(uevent_sock_list); > /* This lock protects uevent_seqnum and uevent_sock_list */ > static DEFINE_MUTEX(uevent_sock_mutex); > > +/* > + * The maximum length of the string contained in kobject_actions[]. > + * If there are any actions added or modified, please ensure that > + * the string length does not exceed the macro, otherwise > + * should modify the macro definition. > + */ > +#define UEVENT_KACT_STRSIZE 16 But the biggest size here is not 16, it's 6. So where did 16 come from? Why not dynamically determine the biggest size at runtime? thanks, greg k-h