From: Seungil Kang <sil.kang@samsung.com>
To: andriy.shevchenko@linux.intel.com
Cc: bhe@redhat.com, mingo@kernel.org, akpm@linux-foundation.org,
gregkh@linuxfoundation.org, herbert@gondor.apana.org.au,
tglx@linutronix.de, linux-kernel@vger.kernel.org,
Seungil Kang <sil.kang@samsung.com>
Subject: [PATCH v2] lib/cmdline: prevent unintented access to address
Date: Thu, 13 Aug 2020 12:07:41 +0900 [thread overview]
Message-ID: <20200813030741.6896-1-sil.kang@samsung.com> (raw)
In-Reply-To: CGME20200813030810epcas1p39ad56c069ab4fa41312f91f994c17cac@epcas1p3.samsung.com
When args = "\"\0", "i" will be 0 and args[i-1] is used. (*lib/cmdline.c +238)
Because of "i" is an unsigned int type, the function will access at args[0xFFFFFFFF].
It can make a crash.
Signed-off-by: Seungil Kang <sil.kang@samsung.com>
---
Thanks for your review, my comments below
> Can you be less ambiguous with the args value? (Perhaps provide a hexdump of it
for better understanding)
This kind of args as hexdump below can cause crash.
00000000: 736f 6d65 7468 696e 6731 3d73 6f6d 655f something1=some_
00000010: 7661 6c75 6573 2022 0000 0000 0000 0000 values "
The args end with "\"\0".
> Please, use proper punctuation, I'm lost where is the sentence and what are the
logical parts of them.
I'm sorry to confuse you. I fix the commit msg
> Can you point out to the code that calls this and leads to a crash?
*lib/cmdlinc + 201 ~, next_arg function with args = "\"\0"
char *next_arg(char *args, char **param, char **val) <-- args = "\"\0".
{
unsigned int i, equals = 0;
int in_quote = 0, quoted = 0;
char *next;
if (*args == '"') { <-- *args == '"' is a true condition,
args++; <-- args++, so *args = '\0'.
in_quote = 1;
quoted = 1; <-- quoted also set 1.
}
for (i = 0; args[i]; i++) { <-- when reached this point, i = 0, and arg[0] == '\0',
so for loop is skipped.
if (isspace(args[i]) && !in_quote)
break;
if (equals == 0) {
if (args[i] == '=')
equals = i;
}
if (args[i] == '"')
in_quote = !in_quote;
}
*param = args;
if (!equals)
*val = NULL;
else {
args[equals] = '\0';
*val = args + equals + 1;
/* Don't include quotes in value. */
if (**val == '"') {
(*val)++;
if (args[i-1] == '"')
args[i-1] = '\0';
}
}
if (quoted && args[i-1] == '"') <-- When reached this point, quoted is still set 1,
"i" is still 0, and "i" is unsigned int type,
so address will be {address of args} + 0xFFFFFFFF.
It can make a crash.
args[i-1] = '\0';
if (args[i]) {
args[i] = '\0';
next = args + i + 1;
} else
next = args + i;
/* Chew up trailing spaces. */
return skip_spaces(next);
}
> Can you provide a KUnit test module which can check the case?
If necessary, I will make it and share it.
lib/cmdline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/cmdline.c b/lib/cmdline.c
index fbb9981a04a4..2fd29d7723b2 100644
--- a/lib/cmdline.c
+++ b/lib/cmdline.c
@@ -200,7 +200,7 @@ bool parse_option_str(const char *str, const char *option)
*/
char *next_arg(char *args, char **param, char **val)
{
- unsigned int i, equals = 0;
+ int i, equals = 0;
int in_quote = 0, quoted = 0;
char *next;
--
2.17.1
next parent reply other threads:[~2020-08-13 3:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20200813030810epcas1p39ad56c069ab4fa41312f91f994c17cac@epcas1p3.samsung.com>
2020-08-13 3:07 ` Seungil Kang [this message]
2020-08-13 3:31 ` [PATCH v2] lib/cmdline: prevent unintented access to address Randy Dunlap
2020-08-13 14:00 ` Andy Shevchenko
2020-12-09 12:23 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200813030741.6896-1-sil.kang@samsung.com \
--to=sil.kang@samsung.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bhe@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).