linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 12:57:53 +00:00

No description

Find a file

Chen Zhongjin 8b355d6b1f profiling: fix shift too large makes kernel panic [ Upstream commit `0fe6ee8f12` ] `2d186afd04` ("profiling: fix shift-out-of-bounds bugs") limits shift value by [0, BITS_PER_LONG -1], which means [0, 63]. However, syzbot found that the max shift value should be the bit number of (_etext - _stext). If shift is outside of this, the "buffer_bytes" will be zero and will cause kzalloc(0). Then the kernel panics due to dereferencing the returned pointer 16. This can be easily reproduced by passing a large number like 60 to enable profiling and then run readprofile. LOGS: BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 6148067 P4D 6148067 PUD 6142067 PMD 0 PREEMPT SMP CPU: 4 PID: 184 Comm: readprofile Not tainted 5.18.0+ #162 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_profile+0x104/0x220 RSP: 0018:ffffc900006fbe80 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888006150000 RSI: 0000000000000001 RDI: ffffffff82aba4a0 RBP: 000000000188bb60 R08: 0000000000000010 R09: ffff888006151000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82aba4a0 R13: 0000000000000000 R14: ffffc900006fbf08 R15: 0000000000020c30 FS: 000000000188a8c0(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000006144000 CR4: 00000000000006e0 Call Trace: <TASK> proc_reg_read+0x56/0x70 vfs_read+0x9a/0x1b0 ksys_read+0xa1/0xe0 ? fpregs_assert_state_consistent+0x1e/0x40 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x4d4b4e RSP: 002b:00007ffebb668d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000188a8a0 RCX: 00000000004d4b4e RDX: 0000000000000400 RSI: 000000000188bb60 RDI: 0000000000000003 RBP: 0000000000000003 R08: 000000000000006e R09: 0000000000000000 R10: 0000000000000041 R11: 0000000000000246 R12: 000000000188bb60 R13: 0000000000000400 R14: 0000000000000000 R15: 000000000188bb60 </TASK> Modules linked in: CR2: 0000000000000010 Killed ---[ end trace 0000000000000000 ]--- Check prof_len in profile_init() to prevent it be zero. Link: https://lkml.kernel.org/r/20220531012854.229439-1-chenzhongjin@huawei.com Fixes: `1da177e4c3` ("Linux-2.6.12-rc2") Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-08-25 11:18:02 +02:00
arch	crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE	2022-08-25 11:17:41 +02:00
block	blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created	2022-08-25 11:17:36 +02:00
certs	certs/blacklist_hashes.c: fix const confusion in certs blacklist	2022-06-22 14:11:22 +02:00
crypto	crypto: drbg - make reseeding from get_random_bytes() synchronous	2022-06-22 14:11:18 +02:00
Documentation	x86: Handle idle=nomwait cmdline properly for x86_idle	2022-08-25 11:17:28 +02:00
drivers	serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty()	2022-08-25 11:18:01 +02:00
fs	jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted	2022-08-25 11:18:00 +02:00
include	can: error: specify the values of data[5..7] of CAN error frames	2022-08-25 11:17:47 +02:00
init	random: handle latent entropy and command line from random_init()	2022-06-22 14:11:17 +02:00
ipc	ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()	2022-06-14 18:11:41 +02:00
kernel	profiling: fix shift too large makes kernel panic	2022-08-25 11:18:02 +02:00
lib	locking/refcount: Consolidate implementations of refcount_t	2022-07-29 17:14:17 +02:00
LICENSES
mm	mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region	2022-08-25 11:17:58 +02:00
net	dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock	2022-08-25 11:17:49 +02:00
samples	samples/kretprobes: Fix return value if register_kretprobe() failed	2021-11-17 09:48:39 +01:00
scripts	modpost: fix section mismatch check for exported init/exit sections	2022-06-29 08:58:49 +02:00
security	selinux: Add boundary check in put_entry()	2022-08-25 11:17:32 +02:00
sound	ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV	2022-08-25 11:18:01 +02:00
tools	selftests/bpf: fix a test for snprintf() overflow	2022-08-25 11:17:45 +02:00
usr	initramfs: restore default compression behavior	2020-04-08 09:08:38 +02:00
virt	KVM: Don't null dereference ops->destroy	2022-08-11 12:57:52 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	MAINTAINERS: co-maintain random.c	2022-06-22 14:11:05 +02:00
Makefile	Makefile: link with -z noexecstack --no-warn-rwx-segments	2022-08-25 11:17:17 +02:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.