| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <59380ae7-47f6-4a3d-a3e1-bc8b5762086c@163.com>
Date: Mon, 10 Jun 2024 22:48:36 +0800
From: Lk Sii <lk_sii@....com>
To: Zijun Hu <quic_zijuhu@...cinc.com>, gregkh@...uxfoundation.org,
rafael@...nel.org, akpm@...ux-foundation.org, dmitry.torokhov@...il.com
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH v3] kobject_uevent: Fix OOB access within
zap_modalias_env()
On 2024/5/30 21:14, Zijun Hu wrote:
> zap_modalias_env() wrongly calculates size of memory block to move, so
> will cause OOB memory access issue if variable MODALIAS is not the last
> one within its @env parameter, fixed by correcting size to memmove.
>
> Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
> Cc: stable@...r.kernel.org
> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
> ---
> V3: Correct inline comments and take Dmitry's suggestion
> V2: Correct commit messages and add inline comments
>
> Previous discussion links:
> https://lore.kernel.org/lkml/ZlYo20ztfLWPyy5d@google.com/
> https://lore.kernel.org/lkml/0b916393-eb39-4467-9c99-ac1bc9746512@quicinc.com/T/#m8d80165294640dbac72f5c48d14b7ca4f097b5c7
>
> lib/kobject_uevent.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> index 03b427e2707e..b7f2fa08d9c8 100644
> --- a/lib/kobject_uevent.c
> +++ b/lib/kobject_uevent.c
> @@ -433,8 +433,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env)
> len = strlen(env->envp[i]) + 1;
>
> if (i != env->envp_idx - 1) {
> + /* @env->envp[] contains pointers to @env->buf[]
> + * with @env->buflen chars, and we are removing
> + * variable MODALIAS here pointed by @env->envp[i]
> + * with length @len as shown below:
> + *
> + * 0 @env->buf[] @env->buflen
> + * ---------------------------------------------
> + * ^ ^ ^ ^
> + * | |-> @len <-| target block |
> + * @env->envp[0] @env->envp[i] @env->envp[i + 1]
> + *
> + * so the "target block" indicated above is moved
> + * backward by @len, and its right size is
> + * @env->buflen - (@env->envp[i + 1] - @env->envp[0]).
> + */
> memmove(env->envp[i], env->envp[i + 1],
> - env->buflen - len);
> + env->buflen - (env->envp[i + 1] - env->envp[0]));
>
> for (j = i; j < env->envp_idx - 1; j++)
> env->envp[j] = env->envp[j + 1] - len;
Reviewed-by: Lk Sii <lk_sii@....com>
Powered by blists - more mailing lists