mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-06 00:39:48 +00:00
Code Issues Releases Wiki Activity
No description
1219198 commits 105 branches 5106 tags 5.6 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Find a file
JP Kobryn 0590874226 9p: prevent read overrun in protocol dump tracepoint 
commit a931c68160 upstream.

An out of bounds read can occur within the tracepoint 9p_protocol_dump. In
the fast assign, there is a memcpy that uses a constant size of 32 (macro
named P9_PROTO_DUMP_SZ). When the copy is invoked, the source buffer is not
guaranteed match this size.  It was found that in some cases the source
buffer size is less than 32, resulting in a read that overruns.

The size of the source buffer seems to be known at the time of the
tracepoint being invoked. The allocations happen within p9_fcall_init(),
where the capacity field is set to the allocated size of the payload
buffer. This patch tries to fix the overrun by changing the fixed array to
a dynamically sized array and using the minimum of the capacity value or
P9_PROTO_DUMP_SZ as its length. The trace log statement is adjusted to
account for this. Note that the trace log no longer splits the payload on
the first 16 bytes. The full payload is now logged to a single line.

To repro the orignal problem, operations to a plan 9 managed resource can
be used. The simplest approach might just be mounting a shared filesystem
(between host and guest vm) using the plan 9 protocol while the tracepoint
is enabled.

mount -t 9p -o trans=virtio <mount_tag> <mount_path>

The bpftrace program below can be used to show the out of bounds read.
Note that a recent version of bpftrace is needed for the raw tracepoint
support. The script was tested using v0.19.0.

/* from include/net/9p/9p.h */
struct p9_fcall {
    u32 size;
    u8 id;
    u16 tag;
    size_t offset;
    size_t capacity;
    struct kmem_cache *cache;
    u8 *sdata;
    bool zc;
};

tracepoint:9p:9p_protocol_dump
{
    /* out of bounds read can happen when this tracepoint is enabled */
}

rawtracepoint:9p_protocol_dump
{
    $pdu = (struct p9_fcall *)arg1;
    $dump_sz = (uint64)32;

    if ($dump_sz > $pdu->capacity) {
        printf("reading %zu bytes from src buffer of %zu bytes\n",
            $dump_sz, $pdu->capacity);
    }
}

Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
Message-ID: <20231204202321.22730-1-inwardvessel@gmail.com>
Fixes: 60ece0833b ("net/9p: allocate appropriate reduced message buffers")
Cc: stable@vger.kernel.org
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-01 12:42:43 +00:00
arch ARM: dts: Fix occasional boot hang for am3 usb 2024-01-01 12:42:38 +00:00
block blk-cgroup: bypass blkcg_deactivate_policy after destroying 2023-12-20 17:01:55 +01:00
certs certs: Reference revocation list for all keyrings 2023-08-17 20:12:41 +00:00
crypto crypto: pcrypt - Fix hungtask for PADATA_RESET 2023-11-28 17:19:42 +00:00
Documentation dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp 2024-01-01 12:42:42 +00:00
drivers drm/i915/dmc: Don't enable any pipe DMC events 2024-01-01 12:42:43 +00:00
fs smb: client: fix OOB in smbCalcSize() 2024-01-01 12:42:43 +00:00
include 9p: prevent read overrun in protocol dump tracepoint 2024-01-01 12:42:43 +00:00
init proc: sysctl: prevent aliased sysctls from getting passed to init 2023-11-28 17:19:57 +00:00
io_uring io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation 2023-12-20 17:01:52 +01:00
ipc Add x86 shadow stack support 2023-08-31 12:20:12 -07:00
kernel bpf: Fix prog_array_map_poke_run map poke update 2024-01-01 12:42:23 +00:00
lib cred: get rid of CONFIG_DEBUG_CREDENTIALS 2023-12-20 17:01:51 +01:00
LICENSES
mm mm/damon/core: make damon_start() waits until kdamond_fn() starts 2024-01-01 12:42:23 +00:00
net net: avoid build bug in skb extension length calculation 2024-01-01 12:42:42 +00:00
rust rust: docs: fix logo replacement 2023-10-19 16:40:00 +02:00
samples samples/bpf: syscall_tp_user: Fix array out-of-bound access 2023-11-28 17:19:48 +00:00
scripts scripts/checkstack.pl: match all stack sizes for s390 2023-12-20 17:01:59 +01:00
security keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2024-01-01 12:42:33 +00:00
sound ASoC: tas2781: check the validity of prm_no/cfg_no 2024-01-01 12:42:40 +00:00
tools Revert "selftests: error out if kernel header files are not yet built" 2023-12-20 17:02:01 +01:00
usr
virt ARM: 2023-09-07 13:52:20 -07:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap 20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues 2023-10-24 09:52:16 -10:00
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS Char/Misc driver fixes for 6.6-final 2023-10-28 07:51:27 -10:00
Makefile Linux 6.6.8 2023-12-20 17:02:07 +01:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.