Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp362461lqb; Thu, 23 May 2024 23:56:59 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWJ59WTA0HCK2nlbVXuxNy4cl6qB6EdHfJFDqaPHYhYnEt+7O+8ttuMqeV5OsO1sCeAePvFwVv+e6b0U9APyXWnzNxis37gVmJno9sAAw== X-Google-Smtp-Source: AGHT+IGIL40TLXxJvE8i6GtnV3dbCbO8ryFSlu4GZi5OVTGu+z3T1ieGVq8vR0R1uZOP+5Ul0DkA X-Received: by 2002:a50:a683:0:b0:578:55a3:8b52 with SMTP id 4fb4d7f45d1cf-57855a3a941mr533789a12.8.1716533819156; Thu, 23 May 2024 23:56:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716533819; cv=pass; d=google.com; s=arc-20160816; b=tBxM3qkDX4GY+eKd27/x4gisynMLBQyCqcmIbLVpBCpzHPJphOOLkZj85OVLwAJ7v3 x+zzqWqxFDDYteMSB35lZvCduVoTyOYW5DTXj70oJXX3RVSe0viA1gBJO4EvfqsYoYnB 4oa6bhD62Beds7zcxvqcA/RyD9i7mDkJP4zv+XWzJbdKCWx6wY0e7WTjkzw1PjkEqrqB fDWy0g61f3etUE+Jf1b+RdPjTk+UJ1ChupTuEQ8jozCThRmsYH+xE9Fl9ED0FuIFlSwA G5a+0Xa4vu0x+CRdO/ajl8BqdsdMEpJjrpVE9g13AhKKqQtC93RcvKJgBo6RBYOKQiUd euQg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=hLgVT9JzO46nTDy9NOQ0NEb+JzGC3f+hkMqqT+NRUoY=; fh=ToMiY3t/252TZyNUOe5aT6vhSTzrUI8bwjKJB0VM7M4=; b=wRpGiC1PO2IV5z9Sfk5hp7PVkiNXCTt7+2PLHMeNz2tR/p3u0UeB/CCFwxt2xScvjz XhFlLVpiRptj7Wx/M8966o4gH6Clpvmxqh15RTpEHTT81PissaeN49p0ASnF6v9bJmSm dB+y5wXccW2F7iq2fxNlYS7VNi5oJwPdkgKT8z3CWPVxcQo5E5e9PYuZPgT4DRL87vR0 YFw/JKEUSeCLNgzdVO+NTBnln+rd7hwiTaAknLTcWNazx4VAgMM5xKpYS/UHM4NFkZQy O4lVdAeMeE3+U1XNQa6jNiQll/Xy36tIdotqHqIC5hYHXrNs33JkcOVmlGcNqep+N+90 zkJA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KRPuDHBw; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188373-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188373-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-57852495ee0si513360a12.382.2024.05.23.23.56.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 23:56:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188373-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KRPuDHBw; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188373-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188373-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id B16991F2217B for ; Fri, 24 May 2024 06:56:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DDF8D128392; Fri, 24 May 2024 06:56:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="KRPuDHBw" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAC33749C; Fri, 24 May 2024 06:56:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716533814; cv=none; b=jB7ItCyUCjbPrgrB1Flg7KYuSJa2KoA4WTEVtreFDD90IDqCY4Dps82+wrmMgpb9JVw+rabtF4Lu6YSvdP69Qe2FOsqea90HfzNfSnwD7DFZlE/dmVoifGyjytCpOY3fP/GxHXxqMdfSfpaM3wSkYR+ZWdxAzL3owcOv9T+ARhs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716533814; c=relaxed/simple; bh=5z848Ls1pEd41iTJdKJt2BFrLD45xDJ13Tui+Tq0r0M=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=e6WctktF+c4n3uUaMdU4RgkymdJilTNEWI+RU5yWRIGGsJBZjM7T0UZh07hGZ8LNk+RbMbZv33jAW4BXyMpiFeUVAkaV8HAj2wuWXfSrPXiZJ8J2cB5nBixPbTG8tTt9bzVaSvSCwByM8ininIVWy+MpBI+OL43Ffm+bYI/tssc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=KRPuDHBw; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DAEEBC2BBFC; Fri, 24 May 2024 06:56:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716533813; bh=5z848Ls1pEd41iTJdKJt2BFrLD45xDJ13Tui+Tq0r0M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KRPuDHBwXigech8eZoaw93f16KRu1OHf+cB4uIOJ1B3SvBkaiNOZmbIisGTuo0MLq 7mMpgfHwJpB745Jxx/MVYh9B6nmSi1GZp02xEA2JCu6b5FobVt2bz6WpY+btNIhId4 2/hMIGR/PuoLldzFTn+w877uMEXmsElUizwRDLrc= Date: Fri, 24 May 2024 08:56:50 +0200 From: Greg KH To: quic_zijuhu Cc: rafael@kernel.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] kobject_uevent: Fix OOB access within zap_modalias_env() Message-ID: <2024052458-unleash-atom-489b@gregkh> References: <1716524403-5415-1-git-send-email-quic_zijuhu@quicinc.com> <2024052418-casket-partition-c143@gregkh> <74465bf5-ca18-45f8-a881-e95561c59a02@quicinc.com> <2024052438-hesitate-chevron-dbd7@gregkh> <5acce173-0224-4a05-ae88-3eb1833fcb39@quicinc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5acce173-0224-4a05-ae88-3eb1833fcb39@quicinc.com> On Fri, May 24, 2024 at 01:34:49PM +0800, quic_zijuhu wrote: > On 5/24/2024 1:21 PM, Greg KH wrote: > > On Fri, May 24, 2024 at 01:15:01PM +0800, quic_zijuhu wrote: > >> On 5/24/2024 12:33 PM, Greg KH wrote: > >>> On Fri, May 24, 2024 at 12:20:03PM +0800, Zijun Hu wrote: > >>>> zap_modalias_env() wrongly calculates size of memory block > >>>> to move, so maybe cause OOB memory access issue, fixed by > >>>> correcting size to memmove. > >>> > >>> "maybe" or "does"? That's a big difference :) > >>> > >> i found this issue by reading code instead of really meeting this issue. > >> this issue should be prone to happen if there are more than 1 other > >> environment vars. > > > > But does it? Given that we have loads of memory checkers, and I haven't > > ever seen any report of any overrun, it would be nice to be sure. > > > yes. if @env includes env vairable MODALIAS and more than one other env > vairables. then (env->buflen - len) must be greater that actual size of > "target block" shown previously, so the OOB issue must happen. Then why are none of the tools that we have for catching out-of-bound issues triggered here? Are the tools broken or is this really just not ever happening? It would be good to figure that out... thanks, greg k-h