| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230516123719.117137-1-xiafukun@huawei.com>
Date: Tue, 16 May 2023 20:37:19 +0800
From: Xia Fukun <xiafukun@...wei.com>
To: <gregkh@...uxfoundation.org>, <prajnoha@...hat.com>
CC: <linux-kernel@...r.kernel.org>, <xiafukun@...wei.com>
Subject: [PATCH v5] kobject: Fix global-out-of-bounds in kobject_action_type()
The following c language code can trigger KASAN's global variable
out-of-bounds access error in kobject_action_type():
int main() {
int fd;
char *filename = "/sys/block/ram12/uevent";
char str[86] = "offline";
int len = 86;
fd = open(filename, O_WRONLY);
if (fd == -1) {
printf("open");
exit(1);
}
if (write(fd, str, len) == -1) {
printf("write");
exit(1);
}
close(fd);
return 0;
}
Function kobject_action_type() receives the input parameters buf and count,
where count is the length of the string buf.
In the use case we provided, count is 86, the count_first is 85.
Buf points to a string with a length of 86, and its first seven
characters are "offline".
In line 87 of the code, kobject_actions[action] is the string "offline"
with the length of 7,an out-of-boundary access will appear:
kobject_actions[action][85].
Use sysfs_match_string() to replace the fragile and convoluted loop.
This function is well-tested for parsing sysfs inputs. Moreover, this
modification will not cause any functional changes.
Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents")
Signed-off-by: Xia Fukun <xiafukun@...wei.com>
---
v4 -> v5:
- Fixed build errors and warnings, and retested the patch.
v3 -> v4:
- Refactor the function to be more obviously correct and readable.
---
lib/kobject_uevent.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
index 7c44b7ae4c5c..1ec20a7d3d45 100644
--- a/lib/kobject_uevent.c
+++ b/lib/kobject_uevent.c
@@ -64,9 +64,8 @@ static int kobject_action_type(const char *buf, size_t count,
const char **args)
{
enum kobject_action action;
- size_t count_first;
const char *args_start;
- int ret = -EINVAL;
+ int i, ret = -EINVAL;
if (count && (buf[count-1] == '\n' || buf[count-1] == '\0'))
count--;
@@ -75,23 +74,22 @@ static int kobject_action_type(const char *buf, size_t count,
goto out;
args_start = strnchr(buf, count, ' ');
- if (args_start) {
- count_first = args_start - buf;
+ if (args_start)
args_start = args_start + 1;
- } else
- count_first = count;
- for (action = 0; action < ARRAY_SIZE(kobject_actions); action++) {
- if (strncmp(kobject_actions[action], buf, count_first) != 0)
- continue;
- if (kobject_actions[action][count_first] != '\0')
- continue;
- if (args)
- *args = args_start;
- *type = action;
- ret = 0;
- break;
- }
+ /* Use sysfs_match_string() to replace the fragile and convoluted loop */
+ i = sysfs_match_string(kobject_actions, buf);
+
+ if (i < 0)
+ return ret;
+
+ action = i;
+
+ if (args)
+ *args = args_start;
+
+ *type = action;
+ ret = 0;
out:
return ret;
}
--
2.17.1
Powered by blists - more mailing lists