All of lore.kernel.org
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: Xiaoming Ni <nixiaoming@huawei.com>
Cc: linux-kernel@vger.kernel.org, mcgrof@kernel.org,
	keescook@chromium.org, yzaikin@google.com, adobriyan@gmail.com,
	linux-fsdevel@vger.kernel.org, vbabka@suse.cz,
	akpm@linux-foundation.org, wangle6@huawei.com
Subject: Re: [PATCH v2] proc_sysctl: fix oops caused by incorrect command parameters.
Date: Fri, 8 Jan 2021 10:21:45 +0100	[thread overview]
Message-ID: <20210108092145.GX13207@dhcp22.suse.cz> (raw)
In-Reply-To: <20210108023339.55917-1-nixiaoming@huawei.com>

On Fri 08-01-21 10:33:39, Xiaoming Ni wrote:
> The process_sysctl_arg() does not check whether val is empty before
>  invoking strlen(val). If the command line parameter () is incorrectly
>  configured and val is empty, oops is triggered.
> 
> For example, "hung_task_panic=1" is incorrectly written as "hung_task_panic".
> 
> log:
> 	Kernel command line: .... hung_task_panic
> 	....
> 	[000000000000000n] user address but active_mm is swapper
> 	Internal error: Oops: 96000005 [#1] SMP
> 	Modules linked in:
> 	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.1 #1
> 	Hardware name: linux,dummy-virt (DT)
> 	pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--)
> 	pc : __pi_strlen+0x10/0x98
> 	lr : process_sysctl_arg+0x1e4/0x2ac
> 	sp : ffffffc01104bd40
> 	x29: ffffffc01104bd40 x28: 0000000000000000
> 	x27: ffffff80c0a4691e x26: ffffffc0102a7c8c
> 	x25: 0000000000000000 x24: ffffffc01104be80
> 	x23: ffffff80c22f0b00 x22: ffffff80c02e28c0
> 	x21: ffffffc0109f9000 x20: 0000000000000000
> 	x19: ffffffc0107c08de x18: 0000000000000003
> 	x17: ffffffc01105d000 x16: 0000000000000054
> 	x15: ffffffffffffffff x14: 3030253078413830
> 	x13: 000000000000ffff x12: 0000000000000000
> 	x11: 0101010101010101 x10: 0000000000000005
> 	x9 : 0000000000000003 x8 : ffffff80c0980c08
> 	x7 : 0000000000000000 x6 : 0000000000000002
> 	x5 : ffffff80c0235000 x4 : ffffff810f7c7ee0
> 	x3 : 000000000000043a x2 : 00bdcc4ebacf1a54
> 	x1 : 0000000000000000 x0 : 0000000000000000
> 	Call trace:
> 	 __pi_strlen+0x10/0x98
> 	 parse_args+0x278/0x344
> 	 do_sysctl_args+0x8c/0xfc
> 	 kernel_init+0x5c/0xf4
> 	 ret_from_fork+0x10/0x30
> 	Code: b200c3eb 927cec01 f2400c07 54000301 (a8c10c22)
> 
> Fixes: 3db978d480e2843 ("kernel/sysctl: support setting sysctl parameters
>  from kernel command line")
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>

Thanks for catching this!

> ---------
> v2:
>    Added log output of the failure branch based on the review comments of Kees Cook.
> v1: https://lore.kernel.org/lkml/20201224074256.117413-1-nixiaoming@huawei.com/
> ---------
> ---
>  fs/proc/proc_sysctl.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 317899222d7f..dc1a56515e86 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -1757,6 +1757,11 @@ static int process_sysctl_arg(char *param, char *val,
>  	loff_t pos = 0;
>  	ssize_t wret;
>  
> +	if (!val) {
> +		pr_err("Missing param value! Expected '%s=...value...'\n", param);
> +		return 0;
> +	}

Shouldn't you return an error here? Also my understanding is that
parse_args is responsible for reporting the error.

> +
>  	if (strncmp(param, "sysctl", sizeof("sysctl") - 1) == 0) {
>  		param += sizeof("sysctl") - 1;
>  
> -- 
> 2.27.0

-- 
Michal Hocko
SUSE Labs

  reply	other threads:[~2021-01-08  9:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-08  2:33 [PATCH v2] proc_sysctl: fix oops caused by incorrect command parameters Xiaoming Ni
2021-01-08  9:21 ` Michal Hocko [this message]
2021-01-08 10:01   ` Xiaoming Ni
2021-01-08 11:47     ` Michal Hocko
2021-01-08 19:56       ` Kees Cook
2021-01-08 20:10         ` Michal Hocko
2021-01-09  1:50           ` Andrew Morton
2021-01-11  3:48             ` Xiaoming Ni
2021-01-11 14:21               ` Michal Hocko
2021-01-11 19:50                 ` Kees Cook
     [not found] ` <CAHp75Vfdyh1ad7p_-uqYZPyF78tOB96HKNQVXkOv_yrReo2Mcg@mail.gmail.com>
2021-01-11  3:14   ` Xiaoming Ni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210108092145.GX13207@dhcp22.suse.cz \
    --to=mhocko@suse.com \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=nixiaoming@huawei.com \
    --cc=vbabka@suse.cz \
    --cc=wangle6@huawei.com \
    --cc=yzaikin@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.