lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Jan 2020 14:30:34 +0000
From:   Taehee Yoo <ap420073@...il.com>
To:     davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org
Cc:     ap420073@...il.com
Subject: [PATCH net v2 3/6] netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init()

When netdevsim dev is being created, a debugfs directory is created.
The variable "dev_ddir_name" is 16bytes device name pointer and device
name is "netdevsim<dev id>".
The maximum dev id length is 10.
So, 16bytes for device name isn't enough.

Test commands:
    modprobe netdevsim
    echo "1000000000 0" > /sys/bus/netdevsim/new_device

Splat looks like:
[  362.229174][  T889] BUG: KASAN: stack-out-of-bounds in number+0x824/0x880
[  362.230221][  T889] Write of size 1 at addr ffff8880c1def988 by task bash/889
[  362.231541][  T889]
[  362.232116][  T889] CPU: 2 PID: 889 Comm: bash Not tainted 5.5.0-rc6+ #318
[  362.233233][  T889] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  362.237316][  T889] Call Trace:
[  362.237790][  T889]  dump_stack+0x96/0xdb
[  362.238471][  T889]  ? number+0x824/0x880
[  362.239137][  T889]  print_address_description.constprop.5+0x1be/0x360
[  362.240166][  T889]  ? number+0x824/0x880
[  362.240782][  T889]  ? number+0x824/0x880
[  362.254907][  T889]  __kasan_report+0x12a/0x16f
[  362.276693][  T889]  ? number+0x824/0x880
[  362.284345][  T889]  kasan_report+0xe/0x20
[  362.291523][  T889]  number+0x824/0x880
[  362.305981][  T889]  ? put_dec+0xa0/0xa0
[  362.306583][  T889]  ? rcu_read_lock_sched_held+0x90/0xc0
[  362.307779][  T889]  vsnprintf+0x63c/0x10b0
[  362.308440][  T889]  ? pointer+0x5b0/0x5b0
[  362.309068][  T889]  ? mark_lock+0x11d/0xc40
[  362.309740][  T889]  sprintf+0x9b/0xd0
[  362.327152][  T889]  ? scnprintf+0xe0/0xe0
[  362.327888][  T889]  nsim_dev_probe+0x63c/0xbf0 [netdevsim]
[  362.328882][  T889]  ? kernfs_next_descendant_post+0x11d/0x250
[  362.331521][  T889]  ? nsim_dev_reload_up+0x500/0x500 [netdevsim]
[  362.333054][  T889]  ? kernfs_add_one+0x2c6/0x410
[  362.334145][  T889]  ? kernfs_get.part.12+0x4c/0x60
[  362.335181][  T889]  ? kernfs_put+0x29/0x4b0
[  362.335814][  T889]  ? kernfs_create_link+0x170/0x230
[  362.336600][  T889]  ? sysfs_do_create_link_sd.isra.2+0x87/0xf0
[  362.338118][  T889]  really_probe+0x4b2/0xb50
[  362.338789][  T889]  ? driver_allows_async_probing+0x110/0x110
[  362.340055][  T889]  driver_probe_device+0x24d/0x370
[  362.349864][  T889]  ? __device_attach_driver+0xae/0x210
[  362.364057][  T889]  ? driver_allows_async_probing+0x110/0x110
[  362.367598][  T889]  bus_for_each_drv+0x10f/0x190
[  362.371583][  T889]  ? bus_rescan_devices+0x20/0x20
[  362.372524][  T889]  ? mutex_lock_io_nested+0x1380/0x1380
[  362.374546][  T889]  __device_attach+0x1b1/0x2d0
[  362.376621][  T889]  ? device_bind_driver+0xa0/0xa0
[  362.378889][  T889]  ? wait_for_completion+0x390/0x390
[  362.379727][  T889]  bus_probe_device+0x1a7/0x250
[  362.380635][  T889]  device_add+0x1101/0x1900
[  362.381590][  T889]  ? memset+0x1f/0x40
[  362.382409][  T889]  ? lockdep_init_map+0x10c/0x630
[  362.383701][  T889]  ? device_link_remove+0x120/0x120
[  362.386953][  T889]  ? lockdep_init_map+0x10c/0x630
[  362.387656][  T889]  ? __init_waitqueue_head+0x3a/0x90
[  362.388868][  T889]  new_device_store+0x277/0x4c0 [netdevsim]
[  362.389822][  T889]  ? del_port_store+0x160/0x160 [netdevsim]
[ ... ]

Fixes: ab1d0cc004d7 ("netdevsim: change debugfs tree topology")
Signed-off-by: Taehee Yoo <ap420073@...il.com>
---

v1 -> v2:
 - Update Fixes tag
 - Do not use arbitary 32 bytes for dev_ddir_name

 drivers/net/netdevsim/dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 0dfaf999e8db..2c23b232926b 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -87,7 +87,7 @@ static const struct file_operations nsim_dev_take_snapshot_fops = {
 
 static int nsim_dev_debugfs_init(struct nsim_dev *nsim_dev)
 {
-	char dev_ddir_name[16];
+	char dev_ddir_name[sizeof(DRV_NAME) + 10];
 
 	sprintf(dev_ddir_name, DRV_NAME "%u", nsim_dev->nsim_bus_dev->dev.id);
 	nsim_dev->ddir = debugfs_create_dir(dev_ddir_name, nsim_dev_ddir);
-- 
2.17.1

Powered by blists - more mailing lists