• Macpaul Lin's avatar
    kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() · c3ee3804
    Macpaul Lin authored
    BugLink: https://bugs.launchpad.net/bugs/1811077
    
    commit dada6a43 upstream.
    
    This patch is trying to fix KE issue due to
    "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
    reported by Syzkaller scan."
    
    [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
    [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
    [26364:syz-executor0]Call trace:
    [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
    [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
    [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
    [26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
    [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
    [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
    [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
    [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
    [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
    [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
    [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
    [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
    [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
    [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
    [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
    [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:report&]The buggy address belongs to the variable:
    [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:report&]Memory state around the buggy address:
    [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
    [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
    [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
    [26364:syz-executor0][name:report&]                                       ^
    [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
    [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
    [26364:syz-executor0]------------[cut here]------------
    
    After checking the source code, we've found there might be an out-of-bounds
    access to "config[len - 1]" array when the variable "len" is zero.
    Signed-off-by: default avatarMacpaul Lin <macpaul@gmail.com>
    Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    c3ee3804
kgdboc.c 7.46 KB