mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-10 10:39:26 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/tty
History
Macpaul Lin beb68a727f kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() 
commit dada6a43b0 upstream.

This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."

[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&]                                       ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------

After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.

Signed-off-by: Macpaul Lin <macpaul@gmail.com>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-13 09:16:22 +01:00
..
hvc tty: hvc: hvc_write() fix break condition 2018-09-10 18:04:31 +02:00
ipwireless tty: ipwireless: Replace GFP_ATOMIC with GFP_KERNEL in ipwireless_network_create 2018-04-23 10:57:06 +02:00
serdev serdev: add dev_pm_domain_attach|detach() 2018-07-15 12:23:53 +02:00
serial kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() 2018-12-13 09:16:22 +01:00
vt vt: fix broken display when running aptitude 2018-11-13 11:09:00 -08:00
amiserial.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
cyclades.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
ehv_bytechan.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
goldfish.c headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
isicom.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2018-04-09 09:04:10 -07:00
Makefile tty: remove bfin_jtag_comm and hvc_bfin_jtag drivers 2018-03-26 15:57:24 +02:00
mips_ejtag_fdc.c
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c Merge 4.17-rc3 into tty-next 2018-04-30 05:14:55 -07:00
n_hdlc.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
n_null.c
n_r3964.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c tty: wipe buffer if not echoing data 2018-12-01 09:37:34 +01:00
nozomi.c tty/nozomi: fix inconsistent indentation 2018-04-25 14:54:26 +02:00
pty.c pty: fix O_CLOEXEC for TIOCGPTPEER 2018-07-21 09:08:47 +02:00
rocket.c tty: rocket: Fix possible buffer overwrite on register_PCI 2018-08-02 10:11:32 +02:00
rocket.h
rocket_int.h
synclink.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
synclink_gt.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
synclinkmp.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
sysrq.c signal: Pass pid type into do_send_sig_info 2018-07-21 12:57:35 -05:00
tty_audit.c audit: eliminate audit_enabled magic number comparison 2018-06-19 10:43:55 -04:00
tty_baudrate.c termios, tty/tty_baudrate.c: fix buffer overrun 2018-11-21 09:19:20 +01:00
tty_buffer.c tty: wipe buffer. 2018-12-01 09:37:34 +01:00
tty_io.c USB: serial: console: fix reported terminal settings 2018-12-13 09:16:15 +01:00
tty_ioctl.c tty: add missing const to termios hw-change helper 2018-05-22 10:08:05 +02:00
tty_jobctrl.c
tty_ldisc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
tty_ldsem.c atomic/tty: Fix up atomic abuse in ldsem 2018-06-28 21:07:55 +09:00
tty_mutex.c
tty_port.c tty: do not set TTY_IO_ERROR flag if console port 2018-12-13 09:16:22 +01:00
vcc.c