LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>
Subject: [PATCH 4.4 86/88] intel_th: msu: Fix an off-by-one in attribute store
Date: Fri, 11 Jan 2019 15:08:55 +0100
Message-ID: <20190111131059.914695192@linuxfoundation.org> (raw)
In-Reply-To: <20190111131045.137499039@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream.

The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:

> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
>
> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
> Call Trace:
>  dump_stack+0x7c/0xc0
>  print_address_description+0x6c/0x23c
>  ? memchr+0x1e/0x40
>  kasan_report.cold.5+0x241/0x308
>  memchr+0x1e/0x40
>  nr_pages_store+0x203/0xd00 [intel_th_msu]

Fix this by accounting for the comma character.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/msu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/hwtracing/intel_th/msu.c
+++ b/drivers/hwtracing/intel_th/msu.c
@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struc
 		if (!end)
 			break;
 
-		len -= end - p;
+		/* consume the number and the following comma, hence +1 */
+		len -= end - p + 1;
 		p = end + 1;
 	} while (len);
 



  parent reply index

Thread overview: 102+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-11 14:07 [PATCH 4.4 00/88] 4.4.170-stable review Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 01/88] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 02/88] xhci: Dont prevent USB2 bus suspend in state check intended for USB3 only Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 03/88] USB: serial: option: add GosunCn ZTE WeLink ME3630 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 04/88] USB: serial: option: add HP lt4132 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 05/88] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 06/88] USB: serial: option: add Fibocom NL668 series Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 07/88] USB: serial: option: add Telit LN940 series Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 08/88] mmc: core: Reset HPI enabled state during re-init and in case of errors Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 09/88] mmc: omap_hsmmc: fix DMA API warning Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 10/88] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 11/88] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 12/88] x86/mtrr: Dont copy uninitialized gentry fields back to userspace Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 13/88] drm/ioctl: Fix Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 14/88] ip6mr: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 15/88] ipv4: " Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 16/88] ax25: fix a use-after-free in ax25_fillin_cb() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 17/88] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 18/88] ieee802154: lowpan_header_create check must check daddr Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 19/88] ipv6: explicitly initialize udp6_addr in udp_sock_create6() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 20/88] isdn: fix kernel-infoleak in capi_unlocked_ioctl Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 21/88] netrom: fix locking in nr_find_socket() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 22/88] packet: validate address length Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 23/88] packet: validate address length if non-zero Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 24/88] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 25/88] vhost: make sure used idx is seen before log in vhost_add_used_n() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 26/88] VSOCK: Send reset control packet when socket is partially bound Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 27/88] xen/netfront: tolerate frags with no data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 28/88] gro_cell: add napi_disable in gro_cells_destroy Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 29/88] sock: Make sock->sk_stamp thread-safe Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 30/88] ALSA: rme9652: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 31/88] ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 32/88] ALSA: pcm: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 33/88] ALSA: emux: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 34/88] ALSA: hda: add mute LED support for HP EliteBook 840 G4 Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 35/88] ALSA: hda/tegra: clear pending irq handlers Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 36/88] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 37/88] USB: serial: option: add Fibocom NL678 series Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 38/88] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 39/88] Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 40/88] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 41/88] perf pmu: Suppress potential format-truncation warning Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 42/88] ext4: fix possible use after free in ext4_quota_enable Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 43/88] ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 44/88] ext4: fix EXT4_IOC_GROUP_ADD ioctl Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 45/88] ext4: force inode writes when nfsd calls commit_metadata() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 46/88] spi: bcm2835: Fix race on DMA termination Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 47/88] spi: bcm2835: Fix book-keeping of " Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 48/88] spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 49/88] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 50/88] media: vivid: free bitmap_cap when updating std/timings/etc Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 51/88] MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 52/88] MIPS: Align kernel load address to 64KB Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 53/88] CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 54/88] x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 55/88] spi: bcm2835: Unbreak the build of esoteric configs Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 56/88] powerpc: Fix COFF zImage booting on old powermacs Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 57/88] ARM: imx: update the cpu power up timing setting on i.mx6sx Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 58/88] Input: restore EV_ABS ABS_RESERVED Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 59/88] checkstack.pl: fix for aarch64 Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 60/88] xfrm: Fix bucket count reported to userspace Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 61/88] scsi: bnx2fc: Fix NULL dereference in error handling Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 62/88] Input: omap-keypad - fix idle configuration to not block SoC idle states Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 63/88] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 64/88] fork: record start_time late Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 65/88] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 66/88] mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 67/88] mm, devm_memremap_pages: kill mapping "System RAM" support Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 68/88] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 69/88] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 70/88] crypto: x86/chacha20 - avoid sleeping with preemption disabled Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 71/88] block: break discard submissions into the user defined size Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 72/88] block: dont deal with discard limit in blkdev_issue_discard() Greg Kroah-Hartman
2019-01-11 14:25   ` Mike Snitzer
2019-01-11 14:34     ` Mike Snitzer
2019-01-11 14:35     ` Greg Kroah-Hartman
2019-01-11 15:06       ` Mike Snitzer
2019-01-11 15:17         ` Greg Kroah-Hartman
2019-01-11 15:23           ` Mike Snitzer
2019-01-11 15:44             ` Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 73/88] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 74/88] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 75/88] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 76/88] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 77/88] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 78/88] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 79/88] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 80/88] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 81/88] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 82/88] 9p/net: put a lower bound on msize Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 83/88] iommu/vt-d: Handle domain agaw being less than iommu agaw Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 84/88] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 85/88] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:08 ` Greg Kroah-Hartman [this message]
2019-01-11 14:08 ` [PATCH 4.4 87/88] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 88/88] vhost/vsock: fix uninitialized vhost_vsock->guest_cid Greg Kroah-Hartman
2019-01-11 14:33   ` Greg Kroah-Hartman
2019-01-11 21:46 ` [PATCH 4.4 00/88] 4.4.170-stable review shuah
2019-01-12  8:06 ` Naresh Kamboju
2019-01-12 14:57 ` Harsh Shandilya
2019-01-12 15:46   ` Greg Kroah-Hartman
2019-01-12 17:42 ` Guenter Roeck

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190111131059.914695192@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox