lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <17647e4c.d461.19b46144a4e.Coremail.yangshiguang1011@163.com>
Date: Mon, 22 Dec 2025 20:41:33 +0800 (CST)
From: yangshiguang  <yangshiguang1011@....com>
To: "Greg KH" <gregkh@...uxfoundation.org>
Cc: rafael@...nel.org, dakr@...nel.org, peterz@...radead.org,
	linux-kernel@...r.kernel.org, yangshiguang@...omi.com,
	stable@...r.kernel.org
Subject: Re:Re: [PATCH] debugfs: Fix NULL pointer dereference at
 debugfs_read_file_str


At 2025-12-22 19:54:22, "Greg KH" <gregkh@...uxfoundation.org> wrote:
>On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@....com wrote:
>> From: yangshiguang <yangshiguang@...omi.com>
>> 
>> Check in debugfs_read_file_str() if the string pointer is NULL.
>> 
>> When creating a node using debugfs_create_str(), the string parameter
>> value can be NULL to indicate empty/unused/ignored.
>
>Why would you create an empty debugfs string file?  That is not ok, we
>should change that to not allow this.

Hi greg k-h,

Thanks for your reply.

This is due to the usage step, should write first and then read.
However, there is no way to guarantee that everyone will know about this step.

And debugfs_create_str() allows passing in a NULL string. 
Therefore, when reading a NULL string, should return an invalid error 
instead of panic.

>
>> However, reading this node using debugfs_read_file_str() will cause a
>> kernel panic.
>> This should not be fatal, so return an invalid error.
>> 
>> Signed-off-by: yangshiguang <yangshiguang@...omi.com>
>> Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
>> Cc: stable@...r.kernel.org
>> ---
>>  fs/debugfs/file.c | 3 +++
>>  1 file changed, 3 insertions(+)
>> 
>> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
>> index 3ec3324c2060..a22ff0ceb230 100644
>> --- a/fs/debugfs/file.c
>> +++ b/fs/debugfs/file.c
>> @@ -1026,6 +1026,9 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
>>  		return ret;
>>  
>>  	str = *(char **)file->private_data;
>> +	if (!str)
>> +		return -EINVAL;
>
>What in kernel user causes this to happen?  Let's fix that up instead
>please.
>

Currently I known problematic nodes in the kernel:

drivers/interconnect/debugfs-client.c:
  155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
  156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);
drivers/soundwire/debugfs.c:
  362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);

test case:
1. create a NULL string node
char *test_node = NULL;
debugfs_create_str("test_node", 0600, parent_dir, &test_node);

2. read the node, like bellow:
cat /sys/kernel/debug/test_node

>thanks,
>
>greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ