mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-20 17:41:09 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/net/netdevsim
History
Taehee Yoo fddd3f73ad netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init() 
[ Upstream commit 6fb8852b12 ]

When netdevsim dev is being created, a debugfs directory is created.
The variable "dev_ddir_name" is 16bytes device name pointer and device
name is "netdevsim<dev id>".
The maximum dev id length is 10.
So, 16bytes for device name isn't enough.

Test commands:
    modprobe netdevsim
    echo "1000000000 0" > /sys/bus/netdevsim/new_device

Splat looks like:
[  249.622710][  T900] BUG: KASAN: stack-out-of-bounds in number+0x824/0x880
[  249.623658][  T900] Write of size 1 at addr ffff88804c527988 by task bash/900
[  249.624521][  T900]
[  249.624830][  T900] CPU: 1 PID: 900 Comm: bash Not tainted 5.5.0+ #322
[  249.625691][  T900] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  249.626712][  T900] Call Trace:
[  249.627103][  T900]  dump_stack+0x96/0xdb
[  249.627639][  T900]  ? number+0x824/0x880
[  249.628173][  T900]  print_address_description.constprop.5+0x1be/0x360
[  249.629022][  T900]  ? number+0x824/0x880
[  249.629569][  T900]  ? number+0x824/0x880
[  249.630105][  T900]  __kasan_report+0x12a/0x170
[  249.630717][  T900]  ? number+0x824/0x880
[  249.631201][  T900]  kasan_report+0xe/0x20
[  249.631723][  T900]  number+0x824/0x880
[  249.632235][  T900]  ? put_dec+0xa0/0xa0
[  249.632716][  T900]  ? rcu_read_lock_sched_held+0x90/0xc0
[  249.633392][  T900]  vsnprintf+0x63c/0x10b0
[  249.633983][  T900]  ? pointer+0x5b0/0x5b0
[  249.634543][  T900]  ? mark_lock+0x11d/0xc40
[  249.635200][  T900]  sprintf+0x9b/0xd0
[  249.635750][  T900]  ? scnprintf+0xe0/0xe0
[  249.636370][  T900]  nsim_dev_probe+0x63c/0xbf0 [netdevsim]
[ ... ]

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Fixes: ab1d0cc004 ("netdevsim: change debugfs tree topology")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-11 04:35:06 -08:00
..
bpf.c netdevsim: move netdev creation/destruction to dev probe 2019-04-26 01:52:03 -04:00
bus.c netdevsim: Make nsim_num_vf static 2019-05-05 10:48:45 -07:00
dev.c netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init() 2020-02-11 04:35:06 -08:00
fib.c netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit 2019-10-13 11:30:14 -07:00
ipsec.c netdevsim: move netdev creation/destruction to dev probe 2019-04-26 01:52:03 -04:00
Makefile netdevsim: merge sdev into dev 2019-04-26 01:52:02 -04:00
netdev.c netdevsim: Restore per-network namespace accounting for fib entries 2019-08-11 20:59:19 -07:00
netdevsim.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-08-19 11:54:03 -07:00
sdev.c netdevsim: move shared dev creation and destruction into separate file 2019-04-12 16:49:54 -07:00