* [PATCH] powerpc: pseries/hvconsole: fix stack overread
@ 2019-05-23 1:57 Daniel Axtens
0 siblings, 0 replies; only message in thread
From: Daniel Axtens @ 2019-05-23 1:57 UTC (permalink / raw)
To: linuxppc-dev; +Cc: Dmitry Vyukov, Daniel Axtens
While developing kasan for 64-bit book3s, I hit the following stack
over-read.
It occurs because the hypercall to put characters onto the terminal
takes 2 longs (128 bits/16 bytes) of characters at a time, and so
hvc_put_chars would unconditionally copy 16 bytes from the argument
buffer, regardless of supplied length. However, sometimes
hvc_put_chars is called with less than 16 characters, leading to the
error.
Use memcpy to copy the correct length.
==================================================================
BUG: KASAN: stack-out-of-bounds in hvc_put_chars+0x44/0xc0
Read of size 8 at addr c00000000169fac0 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc2-00065-g7e26a58cb076 #43
Call Trace:
[c00000000169f770] [c000000000e83900] dump_stack+0xc4/0x114 (unreliable)
[c00000000169f7c0] [c0000000003f3034] print_address_description+0xd0/0x3cc
[c00000000169f850] [c0000000003f2c0c] kasan_report+0x20c/0x224
[c00000000169f920] [c0000000003f4808] __asan_load8+0x198/0x330
[c00000000169f9c0] [c0000000000d7264] hvc_put_chars+0x44/0xc0
[c00000000169fa40] [c00000000089b998] hvterm_raw_put_chars+0x78/0xb0
[c00000000169fa80] [c00000000089bff0] udbg_hvc_putc+0x110/0x1a0
[c00000000169fb30] [c000000000036610] udbg_write+0xa0/0x1a0
[c00000000169fb80] [c0000000001b9cd4] console_unlock+0x694/0x810
[c00000000169fc80] [c0000000001bc5ec] vprintk_emit+0x24c/0x310
[c00000000169fcf0] [c0000000001bde04] vprintk_func+0xd4/0x250
[c00000000169fd40] [c0000000001bd088] printk+0x38/0x4c
[c00000000169fd60] [c0000000012ec4a0] kasan_init+0x330/0x350
[c00000000169fde0] [c0000000012dc304] setup_arch+0x4b4/0x504
[c00000000169fe70] [c0000000012d3e50] start_kernel+0x10c/0x868
[c00000000169ff90] [c00000000000b360] start_here_common+0x1c/0x53c
Memory state around the buggy address:
c00000000169f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c00000000169fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>c00000000169fa80: 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 00 00 00 00
^
c00000000169fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c00000000169fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
CC: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
arch/powerpc/platforms/pseries/hvconsole.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c
index 74da18de853a..c39907b635eb 100644
--- a/arch/powerpc/platforms/pseries/hvconsole.c
+++ b/arch/powerpc/platforms/pseries/hvconsole.c
@@ -67,9 +67,10 @@ EXPORT_SYMBOL(hvc_get_chars);
*/
int hvc_put_chars(uint32_t vtermno, const char *buf, int count)
{
- unsigned long *lbuf = (unsigned long *) buf;
+ unsigned long lbuf[2];
long ret;
+ memcpy(lbuf, buf, count);
/* hcall will ret H_PARAMETER if 'count' exceeds firmware max.*/
if (count > MAX_VIO_PUT_CHARS)
--
2.19.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-23 1:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-23 1:57 [PATCH] powerpc: pseries/hvconsole: fix stack overread Daniel Axtens
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.