lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aukyxucdlmthz3v5a6xoh42vmz@altlinux.org>
Date: Sat, 5 Jul 2025 02:49:28 +0300
From: Vitaly Chikunov <vt@...linux.org>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, 
	Kees Cook <kees@...nel.org>, Andreas Schwab <schwab@...ux-m68k.org>, 
	Masahiro Yamada <masahiroy@...nel.org>
Cc: stable@...r.kernel.org, Michal Marek <mmarek@...e.cz>, 
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Yong Zhi <yong.zhi@...el.com>, 
	Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>, Kai Vehmanen <kai.vehmanen@...ux.intel.com>, 
	"Borislav Petkov (AMD)" <bp@...en8.de>, Ingo Molnar <mingo@...nel.org>, Mark Brown <broonie@...nel.org>, 
	linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org
Subject: Re: [PATCH] mod_devicetable: Enlarge the maximum platform_device_id
 name length

Andy, Kees,

On Wed, Apr 16, 2025 at 09:45:52AM +0300, Andy Shevchenko wrote:
> On Tue, Apr 15, 2025 at 04:14:24PM -0700, Kees Cook wrote:
> > The 20 byte length of struct platform_device_id::name is not long enough
> > for many devices (especially regulators), where the string initialization
> > is getting truncated and missing the trailing NUL byte. This is seen
> > with GCC 15's -Wunterminated-string-initialization option:
> > 
> > drivers/regulator/hi6421v530-regulator.c:189:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   189 |         { .name = "hi6421v530-regulator" },
> >       |                   ^~~~~~~~~~~~~~~~~~~~~~
> > drivers/regulator/hi6421v600-regulator.c:278:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   278 |         { .name = "hi6421v600-regulator" },
> >       |                   ^~~~~~~~~~~~~~~~~~~~~~
> > drivers/regulator/lp87565-regulator.c:233:11: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   233 |         { "lp87565-q1-regulator", },
> >       |           ^~~~~~~~~~~~~~~~~~~~~~
> > sound/soc/fsl/imx-pcm-rpmsg.c:818:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   818 |         { .name = "rpmsg-micfil-channel" },
> >       |                   ^~~~~~~~~~~~~~~~~~~~~~
> > drivers/iio/light/hid-sensor-als.c:457:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   457 |                 .name = "HID-SENSOR-LISS-0041",
> >       |                         ^~~~~~~~~~~~~~~~~~~~~~
> > drivers/iio/light/hid-sensor-prox.c:366:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization]
> >   366 |                 .name = "HID-SENSOR-LISS-0226",
> >       |                         ^~~~~~~~~~~~~~~~~~~~~~
> > 
> > Increase the length to 24, slightly more than is currently being used by
> > the affected drivers. The string is used in '%s' format strings and via
> > the module code, which appears to do its own length encoding. This size
> > was chosen because there was already a 4 byte hole in the structure:
> > 
> > struct platform_device_id {
> >         char                       name[20];             /*     0    20 */
> > 
> >         /* XXX 4 bytes hole, try to pack */
> > 
> >         kernel_ulong_t             driver_data;          /*    24     8 */
> > 
> >         /* size: 32, cachelines: 1, members: 2 */
> >         /* sum members: 28, holes: 1, sum holes: 4 */
> >         /* last cacheline: 32 bytes */
> > };
> 
> Since there is no even potential ABI breakage, I'm fine with the change.
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>

This definitely breaks ABI on 32-bit architectures such as i586, because there
is no gap from alignment. Perhaps, this also make the commit not suitable for
backporting to stable branches?

I recently stumbled on build failure on v5.10.239 for i586:

  make: Entering directory '/usr/src/kernel-source-5.10'
    DEPMOD  5.10.239
  depmod: FATAL: Module index: bad character '�'=0x80 - only 7-bit ASCII is supported:
  platform:jsl_rt5682_max98360ax�
  make: *** [Makefile:1786: modules_install] Error 1
  make: Leaving directory '/usr/src/kernel-source-5.10'

With this patch not applied "jsl_rt5682_max98360a" have terminating '\0'
truncated due to PLATFORM_NAME_SIZE being same as the string length and
concatenated with the following binary data:

        {
                .name = "jsl_rt5682_max98360a",
                .driver_data = (kernel_ulong_t)(SOF_RT5682_MCLK_EN |
                                        SOF_RT5682_MCLK_24MHZ |
                                        SOF_RT5682_SSP_CODEC(0) |
                                        SOF_SPEAKER_AMP_PRESENT |
                                        SOF_MAX98360A_SPEAKER_AMP_PRESENT |
                                        SOF_RT5682_SSP_AMP(1)),
        },

modpost then interprets it as an asciiz string concatenating with `driver_data`
resulting in bad characters.

  static int do_platform_entry(const char *filename,
			       void *symval, char *alias)
  {
	  DEF_FIELD_ADDR(symval, platform_device_id, name);
	  sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name);
	  return 1;
  }

creating in an incorrect alias, and this somehow breaks depmod in kmod 34.2
(maybe earlier).

Old kmod 30 successfully adds incorrect alias:

  $ modinfo snd-soc-sof_rt5682.ko | grep jsl_rt5682_max98360a
  alias:          platform:jsl_rt5682_max98360a
  alias:          platform:jsl_rt5682_max98360ax�

and 

  modules.alias:alias platform:jsl_rt5682_max98360ax� snd_soc_sof_rt5682

Perhaps, scripts/mod/file2alias.c should be updated with:

-	  sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name);
+	  sprintf(alias, PLATFORM_MODULE_PREFIX "%.*s", PLATFORM_NAME_SIZE, *name);

(Or even producing an error if more serious truncation occurs.)

Thanks,

> 
> -- 
> With Best Regards,
> Andy Shevchenko
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ