| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210414144046.7641b845@xhacker.debian>
Date: Wed, 14 Apr 2021 14:40:46 +0800
From: Jisheng Zhang <Jisheng.Zhang@...aptics.com>
To: Ville Syrjälä <ville.syrjala@...ux.intel.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
Chris Wilson <chris@...is-wilson.co.uk>,
Jon Bloomfield <jon.bloomfield@...el.com>,
intel-gfx@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org
Subject: Re: [PATCH] drm/i915: Fix "mitigations" parsing if i915 is builtin
Hi Ville,
On Tue, 13 Apr 2021 19:59:34 +0300 Ville Syrjälä wrote:
>
>
> On Tue, Apr 13, 2021 at 05:02:40PM +0800, Jisheng Zhang wrote:
> > I met below error during boot with i915 builtin if pass
> > "i915.mitigations=off":
> > [ 0.015589] Booting kernel: `off' invalid for parameter `i915.mitigations'
> >
> > The reason is slab subsystem isn't ready at that time, so kstrdup()
> > returns NULL. Fix this issue by using stack var instead of kstrdup().
> >
> > Fixes: 984cadea032b ("drm/i915: Allow the sysadmin to override security mitigations")
> > Signed-off-by: Jisheng Zhang <Jisheng.Zhang@...aptics.com>
> > ---
> > drivers/gpu/drm/i915/i915_mitigations.c | 7 ++-----
> > 1 file changed, 2 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/i915_mitigations.c b/drivers/gpu/drm/i915/i915_mitigations.c
> > index 84f12598d145..7dadf41064e0 100644
> > --- a/drivers/gpu/drm/i915/i915_mitigations.c
> > +++ b/drivers/gpu/drm/i915/i915_mitigations.c
> > @@ -29,15 +29,13 @@ bool i915_mitigate_clear_residuals(void)
> > static int mitigations_set(const char *val, const struct kernel_param *kp)
> > {
> > unsigned long new = ~0UL;
> > - char *str, *sep, *tok;
> > + char str[64], *sep, *tok;
> > bool first = true;
> > int err = 0;
> >
> > BUILD_BUG_ON(ARRAY_SIZE(names) >= BITS_PER_TYPE(mitigations));
> >
> > - str = kstrdup(val, GFP_KERNEL);
> > - if (!str)
> > - return -ENOMEM;
> > + strncpy(str, val, sizeof(str) - 1);
>
> I don't think strncpy() guarantees that the string is properly
> terminated.
>
> Also commit b1b6bed3b503 ("usb: core: fix quirks_param_set() writing to
> a const pointer") looks broken as well given your findings, and
> arch/um/drivers/virtio_uml.c seems to suffer from this as well.
> kernel/params.c itself seems to have some slab_is_available() magic
> around kmalloc().
Just tried the "usbcore.quirks" with usb builtin, I can't reproduce the
issue. Futher investigation shows that device_param_cb() macro is the
key, or the "6" in __level_param_cb(name, ops, arg, perm, 6) is the key.
While i915.mitigations uses module_param_cb_unsafe(), in which the level
will be "-1"
arch/um/drivers/virtio_uml.c also makes use of device_param_cb()
thanks
Powered by blists - more mailing lists