* stack out-of-bounds write in mce-inject.c
@ 2018-04-27 15:24 Dmitry Vyukov
2018-04-27 15:41 ` Borislav Petkov
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2018-04-27 15:24 UTC (permalink / raw)
To: tony.luck, Borislav Petkov, Thomas Gleixner, Ingo Molnar,
H. Peter Anvin, the arch/x86 maintainers, linux-edac, LKML
Hi,
Opening /sys/kernel/debug/mce-inject/flags overwrites stack:
==================================================================
BUG: KASAN: stack-out-of-bounds in vsnprintf+0x1b23/0x1b40 lib/vsprintf.c:2365
Write of size 1 at addr ffff8800627b7abb by task egrep/4309
CPU: 3 PID: 4309 Comm: egrep Not tainted 4.17.0-rc2+ #179
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:366 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:424
__asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:447
vsnprintf+0x1b23/0x1b40 lib/vsprintf.c:2365
sprintf+0xa7/0xd0 lib/vsprintf.c:2494
flags_read+0xa3/0xf0 arch/x86/kernel/cpu/mcheck/mce-inject.c:345
full_proxy_read+0x125/0x190 fs/debugfs/file.c:195
__vfs_read+0x10f/0xa50 fs/read_write.c:416
vfs_read+0x17f/0x3d0 fs/read_write.c:452
ksys_read+0xf9/0x250 fs/read_write.c:578
__do_sys_read fs/read_write.c:588 [inline]
__se_sys_read fs/read_write.c:586 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:586
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fb17c6c3310
RSP: 002b:00007ffca98af8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000001d72000 RCX: 00007fb17c6c3310
RDX: 0000000000008000 RSI: 0000000001d72000 RDI: 0000000000000005
RBP: 0000000000001000 R08: 0000000001d72000 R09: 00007fb17c979e90
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000008000 R14: 0000000000000000 R15: 0000000000000003
The buggy address belongs to the page:
page:ffffea000189edc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea0001890101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8800627b7980: f3 f3 f3 f3 00 00 00 00 00 00 00 f1 f1 f1 f1 00
ffff8800627b7a00: 00 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
>ffff8800627b7a80: 00 00 00 f1 f1 f1 f1 03 f2 f2 f2 f3 f3 f3 f3 00
^
ffff8800627b7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8800627b7b80: 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2
==================================================================
On upstream commit 0644f186fc9d77bb5bd198369e59fb28927a3692.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: stack out-of-bounds write in mce-inject.c
2018-04-27 15:24 stack out-of-bounds write in mce-inject.c Dmitry Vyukov
@ 2018-04-27 15:41 ` Borislav Petkov
2018-04-27 16:06 ` Dmitry Vyukov
0 siblings, 1 reply; 9+ messages in thread
From: Borislav Petkov @ 2018-04-27 15:41 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: tony.luck, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
On Fri, Apr 27, 2018 at 05:24:24PM +0200, Dmitry Vyukov wrote:
> Hi,
>
> Opening /sys/kernel/debug/mce-inject/flags overwrites stack:
>
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in vsnprintf+0x1b23/0x1b40 lib/vsprintf.c:2365
> Write of size 1 at addr ffff8800627b7abb by task egrep/4309
How do you trigger this exactly?
You grep it for something apparently...
Thx.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: stack out-of-bounds write in mce-inject.c
2018-04-27 15:41 ` Borislav Petkov
@ 2018-04-27 16:06 ` Dmitry Vyukov
2018-04-27 16:37 ` Luck, Tony
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2018-04-27 16:06 UTC (permalink / raw)
To: Borislav Petkov
Cc: tony.luck, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
On Fri, Apr 27, 2018 at 5:41 PM, Borislav Petkov <bp@alien8.de> wrote:
> On Fri, Apr 27, 2018 at 05:24:24PM +0200, Dmitry Vyukov wrote:
>> Hi,
>>
>> Opening /sys/kernel/debug/mce-inject/flags overwrites stack:
>>
>> ==================================================================
>> BUG: KASAN: stack-out-of-bounds in vsnprintf+0x1b23/0x1b40 lib/vsprintf.c:2365
>> Write of size 1 at addr ffff8800627b7abb by task egrep/4309
>
> How do you trigger this exactly?
>
> You grep it for something apparently...
find /sys -exec grep "64" {} \; -print
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] x86, mce: Fix stack out-of-bounds write in mce-inject.c:flags_read()
@ 2018-04-27 16:37 ` Luck, Tony
0 siblings, 0 replies; 9+ messages in thread
From: Luck, Tony @ 2018-04-27 16:37 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Borislav Petkov, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
in flags_read() is two characters. But the sprintf() adds a trailing newline
and will add a terminating NUL byte. So MAX_FLAG_OPT_SIZE needs to be 4.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>
---
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 475cb4f5f14f..c805a06e14c3 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
static u8 n_banks;
-#define MAX_FLAG_OPT_SIZE 3
+#define MAX_FLAG_OPT_SIZE 4
#define NBCFG 0x44
enum injection_type {
^ permalink raw reply related [flat|nested] 9+ messages in thread
* x86, mce: Fix stack out-of-bounds write in mce-inject.c:flags_read()
@ 2018-04-27 16:37 ` Luck, Tony
0 siblings, 0 replies; 9+ messages in thread
From: Luck, Tony @ 2018-04-27 16:37 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Borislav Petkov, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
in flags_read() is two characters. But the sprintf() adds a trailing newline
and will add a terminating NUL byte. So MAX_FLAG_OPT_SIZE needs to be 4.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-edac" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 475cb4f5f14f..c805a06e14c3 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
static u8 n_banks;
-#define MAX_FLAG_OPT_SIZE 3
+#define MAX_FLAG_OPT_SIZE 4
#define NBCFG 0x44
enum injection_type {
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] x86, mce: Fix stack out-of-bounds write in mce-inject.c:flags_read()
@ 2018-04-27 16:59 ` Borislav Petkov
0 siblings, 0 replies; 9+ messages in thread
From: Borislav Petkov @ 2018-04-27 16:59 UTC (permalink / raw)
To: Luck, Tony
Cc: Dmitry Vyukov, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
On Fri, Apr 27, 2018 at 09:37:08AM -0700, Luck, Tony wrote:
> Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
> in flags_read() is two characters. But the sprintf() adds a trailing newline
> and will add a terminating NUL byte. So MAX_FLAG_OPT_SIZE needs to be 4.
... and I dumped the n here:
n = sprintf(buf, "%s\n", flags_options[inj_type])
and it was 3 but sprintf() calls vsnprintf() and *that* does return:
" * The return value is the number of characters which would
* be generated for the given input, excluding the trailing
* '\0', as per ISO C99."
So I'll extend the commit message with that and apply it.
Thanks.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 9+ messages in thread
* x86, mce: Fix stack out-of-bounds write in mce-inject.c:flags_read()
@ 2018-04-27 16:59 ` Borislav Petkov
0 siblings, 0 replies; 9+ messages in thread
From: Borislav Petkov @ 2018-04-27 16:59 UTC (permalink / raw)
To: Luck, Tony
Cc: Dmitry Vyukov, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
the arch/x86 maintainers, linux-edac, LKML
On Fri, Apr 27, 2018 at 09:37:08AM -0700, Luck, Tony wrote:
> Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
> in flags_read() is two characters. But the sprintf() adds a trailing newline
> and will add a terminating NUL byte. So MAX_FLAG_OPT_SIZE needs to be 4.
... and I dumped the n here:
n = sprintf(buf, "%s\n", flags_options[inj_type])
and it was 3 but sprintf() calls vsnprintf() and *that* does return:
" * The return value is the number of characters which would
* be generated for the given input, excluding the trailing
* '\0', as per ISO C99."
So I'll extend the commit message with that and apply it.
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [tip:ras/core] x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read()
@ 2018-05-06 10:52 ` tip-bot for Borislav Petkov
0 siblings, 0 replies; 9+ messages in thread
From: tip-bot for Luck, Tony @ 2018-05-06 10:52 UTC (permalink / raw)
To: linux-tip-commits
Cc: dvyukov, tony.luck, tglx, linux-kernel, mingo, hpa, bp, linux-edac
Commit-ID: 985c78d3ff8e9c74450fa2bb08eb55e680d999ca
Gitweb: https://git.kernel.org/tip/985c78d3ff8e9c74450fa2bb08eb55e680d999ca
Author: Luck, Tony <tony.luck@intel.com>
AuthorDate: Fri, 27 Apr 2018 09:37:08 -0700
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 6 May 2018 12:46:39 +0200
x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read()
Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
in flags_read() is two characters long. But the sprintf() adds
a trailing newline and will add a terminating NUL byte. So
MAX_FLAG_OPT_SIZE needs to be 4.
sprintf() calls vsnprintf() and *that* does return:
" * The return value is the number of characters which would
* be generated for the given input, excluding the trailing
* '\0', as per ISO C99."
Note the "excluding".
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180427163707.ktaiysvbk3yhk4wm@agluck-desk
---
arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 475cb4f5f14f..c805a06e14c3 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
static u8 n_banks;
-#define MAX_FLAG_OPT_SIZE 3
+#define MAX_FLAG_OPT_SIZE 4
#define NBCFG 0x44
enum injection_type {
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [tip:ras/core] x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read()
@ 2018-05-06 10:52 ` tip-bot for Borislav Petkov
0 siblings, 0 replies; 9+ messages in thread
From: tip-bot for Borislav Petkov @ 2018-05-06 10:52 UTC (permalink / raw)
To: linux-tip-commits
Cc: dvyukov, tony.luck, tglx, linux-kernel, mingo, hpa, bp, linux-edac
Commit-ID: 985c78d3ff8e9c74450fa2bb08eb55e680d999ca
Gitweb: https://git.kernel.org/tip/985c78d3ff8e9c74450fa2bb08eb55e680d999ca
Author: Luck, Tony <tony.luck@intel.com>
AuthorDate: Fri, 27 Apr 2018 09:37:08 -0700
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 6 May 2018 12:46:39 +0200
x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read()
Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
in flags_read() is two characters long. But the sprintf() adds
a trailing newline and will add a terminating NUL byte. So
MAX_FLAG_OPT_SIZE needs to be 4.
sprintf() calls vsnprintf() and *that* does return:
" * The return value is the number of characters which would
* be generated for the given input, excluding the trailing
* '\0', as per ISO C99."
Note the "excluding".
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180427163707.ktaiysvbk3yhk4wm@agluck-desk
---
arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-edac" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 475cb4f5f14f..c805a06e14c3 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
static u8 n_banks;
-#define MAX_FLAG_OPT_SIZE 3
+#define MAX_FLAG_OPT_SIZE 4
#define NBCFG 0x44
enum injection_type {
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-05-06 10:52 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-27 15:24 stack out-of-bounds write in mce-inject.c Dmitry Vyukov
2018-04-27 15:41 ` Borislav Petkov
2018-04-27 16:06 ` Dmitry Vyukov
2018-04-27 16:37 ` [PATCH] x86, mce: Fix stack out-of-bounds write in mce-inject.c:flags_read() Luck, Tony
2018-04-27 16:37 ` Luck, Tony
2018-04-27 16:59 ` [PATCH] " Borislav Petkov
2018-04-27 16:59 ` Borislav Petkov
2018-05-06 10:52 ` [tip:ras/core] x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() tip-bot for Luck, Tony
2018-05-06 10:52 ` tip-bot for Borislav Petkov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.