• Eiichi Tsukata's avatar
    cpu/hotplug: Fix out-of-bounds read when setting fail state · 8f5e9235
    Eiichi Tsukata authored
    [ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ]
    
    Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail
    can control `struct cpuhp_step *sp` address, results in the following
    global-out-of-bounds read.
    
    Reproducer:
    
      # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail
    
    KASAN report:
    
      BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0
      Read of size 8 at addr ffffffff89734438 by task bash/1941
    
      CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31
      Call Trace:
       write_cpuhp_fail+0x2cd/0x2e0
       dev_attr_store+0x58/0x80
       sysfs_kf_write+0x13d/0x1a0
       kernfs_fop_write+0x2bc/0x460
       vfs_write+0x1e1/0x560
       ksys_write+0x126/0x250
       do_syscall_64+0xc1/0x390
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f05e4f4c970
    
      The buggy address belongs to the variable:
       cpu_hotplug_lock+0x98/0xa0
    
      Memory state around the buggy address:
       ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
                                              ^
       ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
    Add a sanity check for the value written from user space.
    
    Fixes: 1db49484 ("smp/hotplug: Hotplug state fail injection")
    Signed-off-by: 's avatarEiichi Tsukata <devel@etsukata.com>
    Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
    Cc: peterz@infradead.org
    Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.comSigned-off-by: 's avatarSasha Levin <sashal@kernel.org>
    8f5e9235
cpu.c 55.4 KB