• Eiichi Tsukata's avatar
    cpu/hotplug: Fix out-of-bounds read when setting fail state · 8f5e9235
    Eiichi Tsukata authored
    [ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ]
    
    Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail
    can control `struct cpuhp_step *sp` address, results in the following
    global-out-of-bounds read.
    
    Reproducer:
    
      # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail
    
    KASAN report:
    
      BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0
      Read of size 8 at addr ffffffff89734438 by task bash/1941
    
      CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31
      Call Trace:
       write_cpuhp_fail+0x2cd/0x2e0
       dev_attr_store+0x58/0x80
       sysfs_kf_write+0x13d/0x1a0
       kernfs_fop_write+0x2bc/0x460
       vfs_write+0x1e1/0x560
       ksys_write+0x126/0x250
       do_syscall_64+0xc1/0x390
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f05e4f4c970
    
      The buggy address belongs to the variable:
       cpu_hotplug_lock+0x98/0xa0
    
      Memory state around the buggy address:
       ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
                                              ^
       ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
    Add a sanity check for the value written from user space.
    
    Fixes: 1db49484 ("smp/hotplug: Hotplug state fail injection")
    Signed-off-by: default avatarEiichi Tsukata <devel@etsukata.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: peterz@infradead.org
    Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
    8f5e9235
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...