mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/lib
History
Wang Hai b43cf5ad52 kobject: Fix slab-out-of-bounds in fill_kobj_path() 
commit 3bb2a01caa upstream.

In kobject_get_path(), if kobj->name is changed between calls
get_kobj_path_length() and fill_kobj_path() and the length becomes
longer, then fill_kobj_path() will have an out-of-bounds bug.

The actual current problem occurs when the ixgbe probe.

In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name
length becomes longer, out-of-bounds will occur.

cpu0                                         cpu1
ixgbe_probe
 register_netdev(netdev)
  netdev_register_kobject
   device_add
    kobject_uevent // Sending ADD events
                                             systemd-udevd // rename netdev
                                              dev_change_name
                                               device_rename
                                                kobject_rename
 ixgbe_mii_bus_init                             |
  mdiobus_register                              |
   __mdiobus_register                           |
    device_register                             |
     device_add                                 |
      kobject_uevent                            |
       kobject_get_path                         |
        len = get_kobj_path_length // old name  |
        path = kzalloc(len, gfp_mask);          |
                                                kobj->name = name;
                                                /* name length becomes
                                                 * longer
                                                 */
        fill_kobj_path /* kobj path length is
                        * longer than path,
                        * resulting in out of
                        * bounds when filling path
                        */

This is the kasan report:

==================================================================
BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0
Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673

 Workqueue: events work_for_cpu_fn
 Call Trace:
 <TASK>
 dump_stack_lvl+0x34/0x48
 print_address_description.constprop.0+0x86/0x1e7
 print_report+0x36/0x4f
 kasan_report+0xad/0x130
 kasan_check_range+0x35/0x1c0
 memcpy+0x39/0x60
 fill_kobj_path+0x50/0xc0
 kobject_get_path+0x5a/0xc0
 kobject_uevent_env+0x140/0x460
 device_add+0x5c7/0x910
 __mdiobus_register+0x14e/0x490
 ixgbe_probe.cold+0x441/0x574 [ixgbe]
 local_pci_probe+0x78/0xc0
 work_for_cpu_fn+0x26/0x40
 process_one_work+0x3b6/0x6a0
 worker_thread+0x368/0x520
 kthread+0x165/0x1a0
 ret_from_fork+0x1f/0x30

This reproducer triggers that bug:

while:
do
    rmmod ixgbe
    sleep 0.5
    modprobe ixgbe
    sleep 0.5

When calling fill_kobj_path() to fill path, if the name length of
kobj becomes longer, return failure and retry. This fixes the problem.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-11-08 11:21:07 +01:00
..
842 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crypto lib/crypto: blake2s: move hmac construction into wireguard 2022-06-25 11:46:27 +02:00
fonts Fonts: Replace discarded const qualifier 2020-11-10 10:29:03 +01:00
lz4 lib/lz4: make arrays static const, reduces object code size 2017-10-03 17:54:25 -07:00
lzo License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpi crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() 2023-09-23 10:47:04 +02:00
raid6 lib/raid6/test: fix multiple definition linking error 2022-04-20 09:08:12 +02:00
reed_solomon rslib: Fix handling of of caller provided syndrome 2019-07-31 07:28:30 +02:00
xz lib/xz: Validate the value before assigning it to an enum variable 2021-11-26 11:40:28 +01:00
zlib_deflate
zlib_inflate lib/zlib: remove outdated and incorrect pre-increment optimization 2020-06-25 15:41:57 +02:00
zstd lib: Add zstd modules 2017-08-15 09:02:08 -07:00
.gitignore
Kconfig ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE 2022-03-23 09:01:34 +01:00
Kconfig.debug random: remove ratelimiting for in-kernel unseeded randomness 2022-06-25 11:46:40 +02:00
Kconfig.kasan kasan: rework Kconfig settings 2018-02-16 20:23:04 +01:00
Kconfig.kgdb lib: update location of kgdb documentation 2017-05-16 08:44:22 -03:00
Kconfig.ubsan
Makefile crypto: blake2s - generic C library implementation and selftest 2022-06-25 11:46:27 +02:00
argv_split.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
asn1_decoder.c ASN.1: check for error from ASN1_OP_END__ACT actions 2017-12-14 09:52:52 +01:00
assoc_array.c assoc_array: Fix BUG_ON during garbage collect 2022-06-06 08:20:56 +02:00
atomic64.c
atomic64_test.c lib/atomic64_test.c: add a test that atomic64_inc_not_zero() returns an int 2017-07-14 15:05:13 -07:00
audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bcd.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bch.c
bitmap.c bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() 2020-01-29 15:02:39 +01:00
bitrev.c
bsearch.c kprobes: Prohibit probing on bsearch() 2019-04-05 22:31:33 +02:00
btree.c
bug.c bug: Remove redundant condition check in report_bug 2021-05-22 10:57:32 +02:00
build_OID_registry
bust_spinlocks.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
chacha20.c crypto: chacha20 - Fix chacha20_block() keystream alignment (again) 2022-06-25 11:46:31 +02:00
check_signature.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
checksum.c
clz_ctz.c lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels 2023-08-30 16:35:15 +02:00
clz_tab.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cmdline.c lib/cmdline.c: remove meaningless comment 2017-09-08 18:26:49 -07:00
compat_audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cordic.c
cpu_rmap.c lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() 2023-06-14 10:35:25 +02:00
cpumask.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc4.c lib: Add crc4 module 2017-06-09 11:52:07 +02:00
crc7.c
crc8.c
crc16.c
crc32.c lib/crc32.c: fix trivial typo in preprocessor condition 2020-10-29 09:07:10 +01:00
crc32defs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crc32test.c lib/crc32test: remove extra local_irq_disable/enable 2020-11-10 10:29:04 +01:00
ctype.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debug_info.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debug_locks.c locking/lockdep: Fix debug_locks off performance problem 2018-11-13 11:14:51 -08:00
debugobjects.c debugobjects: Recheck debug_objects_enabled before reporting 2023-08-11 11:33:47 +02:00
dec_and_lock.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
decompress.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
decompress_bunzip2.c
decompress_inflate.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
decompress_unlz4.c lib/decompress_unlz4.c: correctly handle zero-padding around initrds. 2021-07-20 16:17:51 +02:00
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression 2021-11-26 11:40:28 +01:00
devres.c devres: allow const resource arguments 2020-01-27 14:46:39 +01:00
digsig.c lib/digsig: fix dereference of NULL user_key_payload 2017-10-12 17:16:40 +01:00
div64.c lib/div64.c: off by one in shift 2019-04-20 09:15:07 +02:00
dma-debug.c dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC 2022-06-14 16:53:45 +02:00
dma-noop.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dma-virt.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dump_stack.c dump_stack: avoid the livelock of the dump_lock 2019-11-12 19:18:01 +01:00
dynamic_debug.c lib/dynamic_debug.c: use address-of operator on section symbols 2023-06-09 10:22:53 +02:00
dynamic_queue_limits.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
earlycpio.c
errseq.c errseq: Always report a writeback error once 2018-05-09 09:51:54 +02:00
extable.c lib/extable.c: use bsearch() library function in search_extable() 2017-07-10 16:32:35 -07:00
fault-inject.c fault-inject: fix wrong should_fail() decision in task context 2017-08-10 15:54:06 -07:00
fdt.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c uapi: rename ext2_swab() to swab() and share globally in swab.h 2020-04-24 08:00:31 +02:00
flex_array.c
flex_proportions.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gcd.c
gen_crc32table.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
genalloc.c lib/genalloc: fix the overflow when size is too big 2021-01-12 20:09:06 +01:00
glob.c lib: add module support to glob tests 2017-02-24 17:46:57 -08:00
globtest.c lib: add module support to glob tests 2017-02-24 17:46:57 -08:00
hexdump.c hex2bin: fix access beyond string end 2022-05-12 12:17:06 +02:00
hweight.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
idr.c ida: don't use BUG_ON() for debugging 2022-07-12 16:27:29 +02:00
inflate.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
int_sqrt.c lib/int_sqrt: optimize initial value compute 2019-04-05 22:31:24 +02:00
interval_tree.c
interval_tree_test.c lib/rbtree-test: lower default params 2018-12-17 09:28:55 +01:00
iomap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iomap_copy.c
iommu-common.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iommu-helper.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ioremap.c ioremap: Update pgtable free interfaces with addr 2018-08-17 21:01:11 +02:00
iov_iter.c lib/iov_iter: initialize "flags" in new pipe_buffer 2022-02-23 11:57:35 +01:00
irq_poll.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_regs.c
is_single_threaded.c sched/headers: Prepare to move 'init_task' and 'init_thread_union' from <linux/sched.h> to <linux/sched/task.h> 2017-03-02 08:42:38 +01:00
jedec_ddr_data.c
kasprintf.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
kfifo.c Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" 2020-01-27 14:46:44 +01:00
klist.c scsi: klist: Make it safe to use klists in atomic context 2018-10-03 17:00:48 -07:00
kobject.c kobject: Fix slab-out-of-bounds in fill_kobj_path() 2023-11-08 11:21:07 +01:00
kobject_uevent.c kobject_uevent: remove warning in init_uevent_argv() 2021-05-22 10:57:41 +02:00
kstrtox.c lib: vsprintf: Fix handling of number field widths in vsscanf 2021-07-20 16:17:33 +02:00
kstrtox.h lib: vsprintf: Fix handling of number field widths in vsscanf 2021-07-20 16:17:33 +02:00
lcm.c
libcrc32c.c crypto: Work around deallocated stack frame reference gcc bug on sparc. 2017-06-08 17:36:03 +08:00
list_debug.c bug: switch data corruption check to __must_check 2017-02-24 17:46:56 -08:00
list_sort.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
llist.c
locking-selftest-hardirq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-mutex.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rsem.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rtmutex.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-softirq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-wsem.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lockref.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lru_cache.c
memory-notifier-error-inject.c
memweight.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
net_utils.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netdev-notifier-error-inject.c
nlattr.c net: fix nla_strcmp to handle more then one trailing null character 2021-05-22 10:57:39 +02:00
nmi_backtrace.c printk/nmi: Prevent deadlock when accessing the main log buffer in NMI 2018-09-05 09:26:35 +02:00
nodemask.c nodemask: Fix return values to be unsigned 2022-06-14 16:54:01 +02:00
notifier-error-inject.c lib/notifier-error-inject: fix error when writing -errno to debugfs file 2023-01-18 09:26:10 +01:00
notifier-error-inject.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
of-reconfig-notifier-error-inject.c
oid_registry.c 509: fix printing uninitialized stack memory when OID is empty 2018-02-25 11:08:01 +01:00
once.c once: add DO_ONCE_SLOW() for sleepable contexts 2023-01-18 09:26:04 +01:00
parman.c lib: Introduce priority array area manager 2017-02-03 16:35:42 -05:00
parser.c
pci_iomap.c
percpu-refcount.c percpu-refcount: support synchronous switch to atomic mode. 2017-03-22 19:18:43 -07:00
percpu_counter.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
percpu_ida.c sched/headers: Prepare to remove the <linux/gfp.h> include from <linux/sched.h> 2017-03-02 08:42:34 +01:00
percpu_test.c
plist.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/clock.h> 2017-03-02 08:42:27 +01:00
pm-notifier-error-inject.c
prime_numbers.c
radix-tree.c treewide: Remove uninitialized_var() usage 2023-08-11 11:33:32 +02:00
random32.c random: replace custom notifier chain with standard one 2022-06-25 11:46:36 +02:00
ratelimit.c ratelimit: Fix data-races in ___ratelimit(). 2022-09-05 10:25:04 +02:00
rational.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rbtree.c rbtree: add some additional comments for rebalancing cases 2017-09-08 18:26:48 -07:00
rbtree_test.c lib/rbtree-test: lower default params 2018-12-17 09:28:55 +01:00
reciprocal_div.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
refcount.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rhashtable.c rhashtable: Still do rehash when we get EEXIST 2019-04-03 06:25:09 +02:00
sbitmap.c sbitmap: fix improper use of smp_mb__before_atomic() 2019-05-31 06:47:10 -07:00
scatterlist.c sgl_alloc_order: fix memory leak 2020-11-05 11:06:58 +01:00
seq_buf.c seq_buf: Fix overflow in seq_buf_putmem_hex() 2021-07-20 16:17:47 +02:00
sg_pool.c
sg_split.c
sha1.c lib/crypto: sha1: re-roll loops to reduce code size 2022-06-25 11:46:27 +02:00
show_mem.c lib/show_mem.c: teach show_mem to work with the given nodemask 2017-02-22 16:41:30 -08:00
siphash.c siphash: use one source of truth for siphash permutations 2022-06-25 11:46:39 +02:00
smp_processor_id.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sort.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stackdepot.c lib: stackdepot: turn depot_lock spinlock to raw_spinlock 2021-05-22 10:57:43 +02:00
stmp_device.c
string.c lib/string: Add strscpy_pad() function 2021-02-23 14:00:30 +01:00
string_helpers.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
strncpy_from_user.c lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() 2020-06-20 10:24:58 +02:00
strnlen_user.c lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() 2020-06-20 10:24:58 +02:00
swiotlb.c swiotlb: skip swiotlb_bounce when orig_addr is zero 2022-07-02 16:18:11 +02:00
syscall.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
test-kstrtox.c
test-string_helpers.c
test_bitmap.c lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly 2018-05-22 18:53:58 +02:00
test_bpf.c bpf: add also cbpf long jump test cases with heavy expansion 2021-10-17 10:08:32 +02:00
test_debug_virtual.c lib: fix build failure in CONFIG_DEBUG_VIRTUAL test 2019-01-13 10:01:07 +01:00
test_firmware.c test_firmware: prevent race conditions by a correct implementation of locking 2023-08-30 16:35:13 +02:00
test_hash.c
test_hexdump.c test_hexdump: use memcpy instead of strncpy 2018-12-08 13:03:35 +01:00
test_kasan.c lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() 2020-02-14 16:32:08 -05:00
test_kmod.c lib/test: use after free in register_test_dev_kmod() 2022-04-20 09:08:21 +02:00
test_list_sort.c lib: add module support to linked list sorting tests 2017-05-08 17:15:10 -07:00
test_module.c
test_parman.c lib: fix spelling mistake: "actualy" -> "actually" 2017-02-26 11:03:38 -05:00
test_printf.c
test_rhashtable.c lib: test_rhashtable: Fix KASAN warning 2017-07-25 12:35:23 -07:00
test_siphash.c
test_sort.c Revert "lib/test_sort.c: make it explicitly non-modular" 2017-05-08 17:15:10 -07:00
test_static_key_base.c
test_static_keys.c
test_sysctl.c test_sysctl: test against int proc_dointvec() array support 2017-07-12 16:26:00 -07:00
test_user_copy.c lib: remove check for AVR32 arch in test_user_copy 2017-05-01 09:36:30 +02:00
test_uuid.c uuid: fix incorrect uuid_equal conversion in test_uuid_test 2017-07-21 09:38:30 +02:00
textsearch.c
timerqueue.c lib/timerqueue: Rely on rbtree semantics for next timer 2021-10-09 14:09:46 +02:00
ts_bm.c lib/ts_bm: reset initial match offset for every block of text 2023-08-11 11:33:35 +02:00
ts_fsm.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ts_kmp.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ubsan.c lib/ubsan: remove returns-nonnull-attribute checks 2023-09-23 10:46:52 +02:00
ubsan.h lib/ubsan: remove returns-nonnull-attribute checks 2023-09-23 10:46:52 +02:00
ucs2_string.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
usercopy.c uaccess: Add speculation barrier to copy_from_user() 2023-02-25 11:50:31 +01:00
uuid.c uuid: hoist uuid_is_null() helper from libnvdimm 2017-06-05 16:59:05 +02:00
vsprintf.c lib: vsprintf: Fix handling of number field widths in vsscanf 2021-07-20 16:17:33 +02:00
win_minmax.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xxhash.c lib: Add xxhash module 2017-08-15 09:02:07 -07:00