| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Mar 2024 10:43:33 -0700
From: "Paul E. McKenney" <paulmck@...nel.org>
To: Nikita Kiryushin <kiryushin@...ud.ru>
Cc: Frederic Weisbecker <frederic@...nel.org>,
Neeraj Upadhyay <quic_neeraju@...cinc.com>,
Joel Fernandes <joel@...lfernandes.org>,
Josh Triplett <josh@...htriplett.org>,
Boqun Feng <boqun.feng@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Lai Jiangshan <jiangshanlai@...il.com>,
Zqiang <qiang.zhang1211@...il.com>, rcu@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] rcu: Fix buffer overlow in print_cpu_stall_info()
On Thu, Mar 28, 2024 at 09:19:14PM +0300, Nikita Kiryushin wrote:
> rcuc info output in print_cpu_stall_info() contains
> posiible buffer overflow in the case of huge jiffies
> difference. The situation seems improbable, but, buffer
> overflow, still. Also, unsigned jiffies difference printed
> as (signed) %ld (which can be a bad format, if the values
> are huge).
>
> Change sprintf to snprintf and change %ld to %lu in format.
Good catch!!!
However, the signed output is intentional. The idea is that if the
timekeeping code is confused enough to run the jiffies counter backwards,
we see a small negative number rather than a huge positive number.
For example, -132 is immediately obvious, while the 64-bit unsigned
equivalent of 18446744073709551484 might not be.
would you like to resend keeping the buffer-overflow fix but leaving
out the signed-to-unsigned conversion?
Thanx, Paul
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting quiescent state")
> Signed-off-by: Nikita Kiryushin <kiryushin@...ud.ru>
> ---
> kernel/rcu/tree_stall.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
> index 5d666428546b..d4542c6e7c60 100644
> --- a/kernel/rcu/tree_stall.h
> +++ b/kernel/rcu/tree_stall.h
> @@ -504,7 +504,7 @@ static void print_cpu_stall_info(int cpu)
> rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu));
> rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j);
> if (rcuc_starved)
> - sprintf(buf, " rcuc=%ld jiffies(starved)", j);
> + snprintf(buf, sizeof(buf), " rcuc=%lu jiffies(starved)", j);
> pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u fqs=%ld%s%s\n",
> cpu,
> "O."[!!cpu_online(cpu)],
> --
> 2.34.1
>
Powered by blists - more mailing lists