[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANZ3JQQdNGjzkAY-VUbs22sveHCsvCtgVkUApfTYFG7wGw1gCg@mail.gmail.com>
Date: Thu, 10 Jul 2025 23:46:41 +0800
From: Wang Haoran <haoranwangsec@...il.com>
To: "Zhuo, Qiuxu" <qiuxu.zhuo@...el.com>
Cc: "Luck, Tony" <tony.luck@...el.com>, "bp@...en8.de" <bp@...en8.de>,
"linux-edac@...r.kernel.org" <linux-edac@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: We found a bug in skx_common.c for the latest linux
Yes, I have!
Thank you for your reply.
This issue was discovered through static analysis rather than at
runtime, so unfortunately we do not have a real-world PoC or specific
dmesg log from skx_show_retry_rd_err_log().
To provide additional context, during the execution of
skx_show_retry_rd_err_log(res, skx_msg + len, MSG_SIZE - len,
scrub_err);
if len is greater than the allocated MSG_SIZE, the subsequent call
inside skx_show_retry_rd_err_log such as
n = snprintf(msg, len, " retry_rd_err_log[%.8x %.8x %.8x %.8x %.8x]",
log0, log1, log2, log3, log4);
will pass an invalid address (skx_msg + len) that has exceeded the
bounds of the skx_msg buffer. Moreover, the size parameter (len)
becomes negative, which is treated as a very large positive number due
to the use of size_t. This can result in out-of-bounds memory access
and potentially dangerous behavior in the kernel.
we crafted a minimal kernel module to demonstrate this case:
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/string.h>
static int __init snprintf_test_init(void)
{
char buf[10];
int i;
printk(KERN_INFO "snprintf_test: start\n");
for (i = 0; i < 10; i++) {
buf[i] = 'a' + i;
}
printk(KERN_INFO "snprintf_test: original buf (before snprintf):\n");
for (i = 0; i < sizeof(buf); i++) {
printk(KERN_INFO " buf[%2d] = 0x%02x (%c)\n", i, buf[i],
(buf[i] >= 32 && buf[i] <= 126) ? buf[i] : '.');
}
int len = snprintf(buf + 12, -2, "snprintf with -2 size, num: %d", 123);
printk(KERN_INFO "snprintf_test: snprintf returned %d\n", len);
printk(KERN_INFO "snprintf_test: buf after snprintf:\n");
for (i = 0; i < sizeof(buf); i++) {
printk(KERN_INFO " buf[%2d] = 0x%02x (%c)\n", i, buf[i],
(buf[i] >= 32 && buf[i] <= 126) ? buf[i] : '.');
}
return 0;
}
static void __exit snprintf_test_exit(void)
{
printk(KERN_INFO "snprintf_test: exit\n");
}
module_init(snprintf_test_init);
module_exit(snprintf_test_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("YourName");
MODULE_DESCRIPTION("snprintf test");
And here is the relevant excerpt from the kernel log (dmesg):
[ 61.503462] snprintf_test: loading out-of-tree module taints kernel.
[ 61.503472] snprintf_test: module verification failed: signature
and/or required key missing - tainting kernel
[ 61.504431] snprintf_test: start
[ 61.504433] snprintf_test: original buf (before snprintf):
[ 61.504435] buf[ 0] = 0x61 (a)
[ 61.504438] buf[ 1] = 0x62 (b)
[ 61.504440] buf[ 2] = 0x63 (c)
[ 61.504442] buf[ 3] = 0x64 (d)
[ 61.504444] buf[ 4] = 0x65 (e)
[ 61.504446] buf[ 5] = 0x66 (f)
[ 61.504448] buf[ 6] = 0x67 (g)
[ 61.504450] buf[ 7] = 0x68 (h)
[ 61.504452] buf[ 8] = 0x69 (i)
[ 61.504453] buf[ 9] = 0x6a (j)
[ 61.504466] ------------[ cut here ]------------
[ 61.504468] WARNING: CPU: 0 PID: 4133 at lib/vsprintf.c:2780
vsnprintf+0x5ad/0x5f0
[ 61.504475] Modules linked in: snprintf_test(OE+) snd_seq_dummy
snd_hrtimer target_core_user uio target_core_pscsi target_core_file
target_core_iblock iscsi_target_mod target_core_mod bnep qrtr
intel_rapl_msr intel_rapl_common polyval_clmulni polyval_generic
ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel crypto_simd
cryptd vmw_balloon snd_ens1371 snd_ac97_codec gameport ac97_bus
snd_pcm btusb btrtl snd_seq_midi snd_seq_midi_event btintel
snd_rawmidi snd_seq btbcm btmtk bluetooth snd_seq_device
vsock_loopback vmw_vsock_virtio_transport_common snd_timer
vmw_vsock_vmci_transport snd vsock binfmt_misc soundcore vmw_vmci
i2c_piix4 i2c_smbus input_leds joydev mac_hid sch_fq_codel vmwgfx
drm_ttm_helper ttm msr parport_pc ppdev lp parport efi_pstore
nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic psmouse
vga16fb serio_raw vgastate mptspi mptscsih ahci mptbase e1000 libahci
scsi_transport_spi pata_acpi usbhid hid floppy
[ 61.504595] CPU: 0 UID: 0 PID: 4133 Comm: insmod Tainted: G
OE 6.15.4-061504-generic #202506271452 PREEMPT(voluntary)
[ 61.504599] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 61.504600] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 61.504603] RIP: 0010:vsnprintf+0x5ad/0x5f0
[ 61.504606] Code: 73 04 41 c6 06 20 49 83 c6 01 4c 39 f0 75 ee 48
8b 74 24 28 49 89 c6 45 31 c9 8b 06 83 f8 2f 0f 87 28 ff ff ff e9 a5
fc ff ff <0f> 0b e9 d5 fb ff ff 48 8b 7c 24 28 48 8b 57 08 48 8d 42 08
48 89
[ 61.504608] RSP: 0018:ffffd1ea04d4f7d0 EFLAGS: 00010296
[ 61.504611] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd1ea04d4f848
[ 61.504613] RDX: ffffffffc0abe0e8 RSI: fffffffffffffffe RDI: ffffd1ea04d4f8bc
[ 61.504614] RBP: ffffd1ea04d4f838 R08: 0000000000000000 R09: 0000000000000000
[ 61.504616] R10: 0000000000000000 R11: 0000000000000000 R12: ffffd1ea04d4f8b0
[ 61.504617] R13: 0000000000000009 R14: 0000000000000009 R15: 000000000000006a
[ 61.504619] FS: 00007140a8251680(0000) GS:ffff8ccf6b49a000(0000)
knlGS:0000000000000000
[ 61.504621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 61.504623] CR2: 000072de22c27330 CR3: 0000000011235000 CR4: 0000000000750ef0
[ 61.504639] PKRU: 55555554
[ 61.504641] Call Trace:
[ 61.504643] <TASK>
[ 61.504648] snprintf+0x4e/0x80
[ 61.504652] snprintf_test_init+0xfb/0xff0 [snprintf_test]
[ 61.504656] ? __pfx_snprintf_test_init+0x10/0x10 [snprintf_test]
[ 61.504659] do_one_initcall+0x5d/0x330
[ 61.504697] do_init_module+0x97/0x280
[ 61.504701] load_module+0x74b/0x840
[ 61.504705] init_module_from_file+0x95/0x100
[ 61.504710] idempotent_init_module+0x110/0x300
[ 61.504715] __x64_sys_finit_module+0x6b/0xd0
[ 61.504718] x64_sys_call+0x18cd/0x2320
[ 61.504722] do_syscall_64+0x7e/0x10c0
[ 61.504724] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504727] ? ext4_llseek+0xc0/0x120
[ 61.504731] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504734] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504736] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[ 61.504739] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504741] ? syscall_exit_to_user_mode+0x38/0x1d0
[ 61.504744] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504746] ? do_syscall_64+0x8a/0x10c0
[ 61.504749] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504751] ? __fsnotify_parent+0x182/0x3e0
[ 61.504754] ? __entry_text_end+0x102579/0x10257d
[ 61.504759] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504761] ? vfs_read+0x178/0x390
[ 61.504766] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504769] ? ksys_read+0x6f/0xf0
[ 61.504771] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504774] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[ 61.504776] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504778] ? syscall_exit_to_user_mode+0x38/0x1d0
[ 61.504781] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504784] ? do_syscall_64+0x8a/0x10c0
[ 61.504786] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504788] ? do_syscall_64+0x8a/0x10c0
[ 61.504791] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504794] ? count_memcg_events.constprop.0+0x2a/0x50
[ 61.504797] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504799] ? handle_mm_fault+0x1ca/0x2e0
[ 61.504803] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504806] ? do_user_addr_fault+0x2f8/0x830
[ 61.504809] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504811] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[ 61.504814] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504816] ? irqentry_exit_to_user_mode+0x2d/0x1d0
[ 61.504819] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504821] ? irqentry_exit+0x43/0x50
[ 61.504824] ? srso_alias_return_thunk+0x5/0xfbef5
[ 61.504826] ? exc_page_fault+0x96/0x1e0
[ 61.504830] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 61.504832] RIP: 0033:0x7140a7931a2d
[ 61.504835] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e
fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 9b f3 0d 00 f7 d8 64 89
01 48
[ 61.504837] RSP: 002b:00007ffd1bbeb7e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ 61.504839] RAX: ffffffffffffffda RBX: 00006484bd099790 RCX: 00007140a7931a2d
[ 61.504841] RDX: 0000000000000000 RSI: 00006484887fd19e RDI: 0000000000000003
[ 61.504843] RBP: 00007ffd1bbeb890 R08: 0000000000000000 R09: 00007ffd1bbeb8d8
[ 61.504844] R10: 0000000000000000 R11: 0000000000000246 R12: 00006484887fd19e
[ 61.504846] R13: 0000000000000000 R14: 00006484bd099750 R15: 0000000000000000
[ 61.504850] </TASK>
[ 61.504852] ---[ end trace 0000000000000000 ]---
[ 61.504854] snprintf_test: snprintf returned 0
[ 61.504856] snprintf_test: buf after snprintf:
[ 61.504857] buf[ 0] = 0x61 (a)
[ 61.504858] buf[ 1] = 0x62 (b)
[ 61.504860] buf[ 2] = 0x63 (c)
[ 61.504861] buf[ 3] = 0x64 (d)
[ 61.504863] buf[ 4] = 0x65 (e)
[ 61.504864] buf[ 5] = 0x66 (f)
[ 61.504865] buf[ 6] = 0x67 (g)
[ 61.504867] buf[ 7] = 0x68 (h)
[ 61.504868] buf[ 8] = 0x69 (i)
[ 61.504869] buf[ 9] = 0x6a (j)
On Thu, Jul 10, 2025 at 7:39 PM Zhuo, Qiuxu <qiuxu.zhuo@...el.com> wrote:
>
> Hi Haoran,
>
> > From: Wang Haoran <haoranwangsec@...il.com>
> > [...]
> > Subject: We found a bug in skx_common.c for the latest linux
> >
> > Hi, my name is Wang Haoran. We found a bug in the skx_mce_output_error
> > function located in drivers/edac/skx_common.c in the latest Linux kernel
> > (version 6.15.5).
> > The issue arises from the use of snprintf to write into the buffer skx_msg,
> > which is allocated with size MSG_SIZE.The function formats multiple strings
> > into skx_msg, including the dynamically generated adxl_msg, which is also
> > allocated with MSG_SIZE. When combined with the format string "%s%s
> > err_code:0x%04x:0x%04x %s", the total output length may exceed MSG_SIZE.
> > As a result, the return value of snprintf may be greater than the actual buffer
> > size, which can lead to truncation issues or cause the
> > skx_show_retry_rd_err_log() function to fail unexpectedly.
>
> Do you have a dmesg log for the *issue* you described here?
>
> Thanks
> -Qiuxu
Powered by blists - more mailing lists