| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 13:48:06 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Andrey Ryabinin <aryabinin@...tuozzo.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Subject: [PATCH 4.15 057/163] platform/x86: wmi: fix off-by-one write in wmi_dev_probe()
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@...tuozzo.com>
commit 6e1d8ea90932f77843730ada0bfea63093b7212a upstream.
wmi_dev_probe() allocates one byte less than necessary, thus
subsequent sprintf() call writes trailing zero past the end
of the 'buf':
BUG: KASAN: slab-out-of-bounds in vsnprintf+0xda4/0x1240
Write of size 1 at addr ffff880423529caf by task kworker/1:1/32
Call Trace:
dump_stack+0xb3/0x14d
print_address_description+0xd7/0x380
kasan_report+0x166/0x2b0
vsnprintf+0xda4/0x1240
sprintf+0x9b/0xd0
wmi_dev_probe+0x1c3/0x400
driver_probe_device+0x5d1/0x990
bus_for_each_drv+0x109/0x190
__device_attach+0x217/0x360
bus_probe_device+0x1ad/0x260
deferred_probe_work_func+0x10f/0x5d0
process_one_work+0xa8b/0x1dc0
worker_thread+0x20d/0x17d0
kthread+0x311/0x3d0
ret_from_fork+0x3a/0x50
Allocated by task 32:
kasan_kmalloc+0xa0/0xd0
__kmalloc+0x14f/0x3e0
wmi_dev_probe+0x182/0x400
driver_probe_device+0x5d1/0x990
bus_for_each_drv+0x109/0x190
__device_attach+0x217/0x360
bus_probe_device+0x1ad/0x260
deferred_probe_work_func+0x10f/0x5d0
process_one_work+0xa8b/0x1dc0
worker_thread+0x20d/0x17d0
kthread+0x311/0x3d0
ret_from_fork+0x3a/0x50
Increment allocation size to fix this.
Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers")
Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/platform/x86/wmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -933,7 +933,7 @@ static int wmi_dev_probe(struct device *
goto probe_failure;
}
- buf = kmalloc(strlen(wdriver->driver.name) + 4, GFP_KERNEL);
+ buf = kmalloc(strlen(wdriver->driver.name) + 5, GFP_KERNEL);
if (!buf) {
ret = -ENOMEM;
goto probe_string_failure;
Powered by blists - more mailing lists