lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f9f3b82e-dd37-eff8-3718-1b71746e8c01@redhat.com>
Date: Tue, 6 May 2025 14:28:13 +0200 (CEST)
From: Mikulas Patocka <mpatocka@...hat.com>
To: Tudor Ambarus <tudor.ambarus@...aro.org>
cc: Alasdair Kergon <agk@...hat.com>, Mike Snitzer <snitzer@...nel.org>, 
    Benjamin Marzinski <bmarzins@...hat.com>, dm-devel@...ts.linux.dev, 
    linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] dm: fix copying after src array boundaries



On Tue, 6 May 2025, Tudor Ambarus wrote:

> The blammed commit copied to argv the size of the reallocated argv,
> instead of the size of the old_argv, thus reading and copying from
> past the old_argv allocated memory.
> 
> Following BUG_ON was hit:
> [    3.038929][    T1] kernel BUG at lib/string_helpers.c:1040!
> [    3.039147][    T1] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
> ...
> [    3.056489][    T1] Call trace:
> [    3.056591][    T1]  __fortify_panic+0x10/0x18 (P)
> [    3.056773][    T1]  dm_split_args+0x20c/0x210
> [    3.056942][    T1]  dm_table_add_target+0x13c/0x360
> [    3.057132][    T1]  table_load+0x110/0x3ac
> [    3.057292][    T1]  dm_ctl_ioctl+0x424/0x56c
> [    3.057457][    T1]  __arm64_sys_ioctl+0xa8/0xec
> [    3.057634][    T1]  invoke_syscall+0x58/0x10c
> [    3.057804][    T1]  el0_svc_common+0xa8/0xdc
> [    3.057970][    T1]  do_el0_svc+0x1c/0x28
> [    3.058123][    T1]  el0_svc+0x50/0xac
> [    3.058266][    T1]  el0t_64_sync_handler+0x60/0xc4
> [    3.058452][    T1]  el0t_64_sync+0x1b0/0x1b4
> [    3.058620][    T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000)
> [    3.058897][    T1] ---[ end trace 0000000000000000 ]---
> [    3.059083][    T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
> 
> Fix it by copying the size of src, and not the size of dst, as it was.
> 
> Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success")
> Cc: stable@...r.kernel.org
> Signed-off-by: Tudor Ambarus <tudor.ambarus@...aro.org>
> ---
>  drivers/md/dm-table.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
> index 9e175c5e0634b49b990436898f63c2b1e696febb..6dae73ee49dbb36d89341ff09556876d0973c4ff 100644
> --- a/drivers/md/dm-table.c
> +++ b/drivers/md/dm-table.c
> @@ -524,9 +524,9 @@ static char **realloc_argv(unsigned int *size, char **old_argv)
>  	}
>  	argv = kmalloc_array(new_size, sizeof(*argv), gfp);
>  	if (argv) {
> -		*size = new_size;
>  		if (old_argv)
>  			memcpy(argv, old_argv, *size * sizeof(*argv));
> +		*size = new_size;
>  	}
>  
>  	kfree(old_argv);
> 
> ---
> base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb
> change-id: 20250506-dm-past-array-boundaries-1fe2f5a1030f
> 
> Best regards,
> -- 
> Tudor Ambarus <tudor.ambarus@...aro.org>

Thanks

I sent a pull request to Linus that includes this patch.

Mikulas


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ