[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YsxJlIEEjlvZKSRg@bombadil.infradead.org>
Date: Mon, 11 Jul 2022 09:02:28 -0700
From: Luis Chamberlain <mcgrof@...nel.org>
To: Adrian Hunter <adrian.hunter@...el.com>
Cc: Aaron Tomlin <atomlin@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Jiri Olsa <jolsa@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] modules: Fix corruption of /proc/kallsyms
On Mon, Jul 11, 2022 at 10:48:16AM +0300, Adrian Hunter wrote:
> On 2/07/22 00:40, Luis Chamberlain wrote:
> > On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
> >> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
> >> file") changed from using strlcpy() to using strscpy() which created a
> >> buffer overflow. That happened because:
> >> 1) an incorrect value was passed as the buffer length
> >> 2) strscpy() (unlike strlcpy()) may copy beyond the length of the
> >> input string when copying word-by-word.
> >> The assumption was that because it was already known that the strings
> >> being copied would fit in the space available, it was not necessary
> >> to correctly set the buffer length. strscpy() breaks that assumption
> >> because although it will not touch bytes beyond the given buffer length
> >> it may write bytes beyond the input string length when writing
> >> word-by-word.
> >>
> >> The result of the buffer overflow is to corrupt the symbol type
> >> information that follows. e.g.
> >>
> >> $ sudo cat -v /proc/kallsyms | grep '\^' | head
> >> ffffffffc0615000 ^@ rfcomm_session_get [rfcomm]
> >> ffffffffc061c060 ^@ session_list [rfcomm]
> >> ffffffffc06150d0 ^@ rfcomm_send_frame [rfcomm]
> >> ffffffffc0615130 ^@ rfcomm_make_uih [rfcomm]
> >> ffffffffc07ed58d ^@ bnep_exit [bnep]
> >> ffffffffc07ec000 ^@ bnep_rx_control [bnep]
> >> ffffffffc07ec1a0 ^@ bnep_session [bnep]
> >> ffffffffc07e7000 ^@ input_leds_event [input_leds]
> >> ffffffffc07e9000 ^@ input_leds_handler [input_leds]
> >> ffffffffc07e7010 ^@ input_leds_disconnect [input_leds]
> >>
> >> Notably, the null bytes (represented above by ^@) can confuse tools.
> >>
> >> Fix by correcting the buffer length.
> >>
> >> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
> >> Signed-off-by: Adrian Hunter <adrian.hunter@...el.com>
> >
> > Queued up thanks!
> >
> > Luis
>
> Thanks for processing this.
>
> I notice it is -rc6 and I do not see it in Linus' tree. This is a fix
> for a regression, shouldn't it be included in 5.19?
Yeah sorry this will get to Linus today.
Luis
Powered by blists - more mailing lists