[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Y6CFma6PPcvJDGje@kroah.com>
Date: Mon, 19 Dec 2022 16:39:05 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: "wanghai (M)" <wanghai38@...wei.com>
Cc: Alice Chao <alice.chao@...iatek.com>, rafael@...nel.org,
jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com,
intel-wired-lan@...ts.osuosl.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kobject: Fix slab-out-of-bounds in fill_kobj_path()
On Mon, Dec 19, 2022 at 11:27:58PM +0800, wanghai (M) wrote:
> Can I send v2 like this?
>
> diff --git a/lib/kobject.c b/lib/kobject.c
> index a0b2dbfcfa23..3f97d903266a 100644
> --- a/lib/kobject.c
> +++ b/lib/kobject.c
> @@ -112,7 +112,7 @@ static int get_kobj_path_length(struct kobject *kobj)
> return length;
> }
>
> -static void fill_kobj_path(struct kobject *kobj, char *path, int length)
> +static int fill_kobj_path(struct kobject *kobj, char *path, int length)
> {
> struct kobject *parent;
>
> @@ -121,12 +121,16 @@ static void fill_kobj_path(struct kobject *kobj, char
> *path, int length)
> int cur = strlen(kobject_name(parent));
> /* back up enough to print this name with '/' */
> length -= cur;
> + if (length <= 0)
> + return -EINVAL;
> memcpy(path + length, kobject_name(parent), cur);
> *(path + --length) = '/';
> }
>
> pr_debug("kobject: '%s' (%p): %s: path = '%s'\n",
> kobject_name(kobj),
> kobj, __func__, path);
> +
> + return 0;
> }
>
> /**
> @@ -141,13 +145,17 @@ char *kobject_get_path(struct kobject *kobj, gfp_t
> gfp_mask)
> char *path;
> int len;
>
> +retry:
> len = get_kobj_path_length(kobj);
> if (len == 0)
> return NULL;
> path = kzalloc(len, gfp_mask);
> if (!path)
> return NULL;
> - fill_kobj_path(kobj, path, len);
> + if (fill_kobj_path(kobj, path, len)) {
> + kfree(path);
> + goto retry;
> + }
Much nicer, thanks!
Powered by blists - more mailing lists