From: Kajol Jain <kjain@linux.ibm.com>
To: mpe@ellerman.id.au, linuxppc-dev@lists.ozlabs.org,
dan.j.williams@intel.com, vaibhav@linux.ibm.com
Cc: maddy@linux.ibm.com, atrajeev@linux.vnet.ibm.com,
disgoel@linux.vnet.ibm.com, kjain@linux.ibm.com,
rnsastry@linux.ibm.com, nvdimm@lists.linux.dev
Subject: [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE
Date: Thu, 5 May 2022 21:04:51 +0530 [thread overview]
Message-ID: <20220505153451.35503-1-kjain@linux.ibm.com> (raw)
With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform
dynamic checks for string size which can panic the kernel,
like incase of overflow detection.
In papr_scm, papr_scm_pmu_check_events function uses stat->stat_id
with string operations, to populate the nvdimm_events_map array.
Since stat_id variable is not NULL terminated, the kernel panics
with CONFIG_FORTIFY_SOURCE enabled at boot time.
Below are the logs of kernel panic:
[ 0.090221][ T1] detected buffer overflow in __fortify_strlen
[ 0.090241][ T1] ------------[ cut here ]------------
[ 0.090246][ T1] kernel BUG at lib/string_helpers.c:980!
[ 0.090253][ T1] Oops: Exception in kernel mode, sig: 5 [#1]
........
[ 0.090375][ T1] NIP [c00000000077dad0] fortify_panic+0x28/0x38
[ 0.090382][ T1] LR [c00000000077dacc] fortify_panic+0x24/0x38
[ 0.090387][ T1] Call Trace:
[ 0.090390][ T1] [c0000022d77836e0] [c00000000077dacc] fortify_panic+0x24/0x38 (unreliable)
[ 9.297707] [ T1] [c00800000deb2660] papr_scm_pmu_check_events.constprop.0+0x118/0x220 [papr_scm]
[ 9.297721] [ T1] [c00800000deb2cb0] papr_scm_probe+0x288/0x62c [papr_scm]
[ 9.297732] [ T1] [c0000000009b46a8] platform_probe+0x98/0x150
Fix this issue by using kmemdup_nul function to copy the content of
stat->stat_id directly to the nvdimm_events_map array.
Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support")
Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
---
arch/powerpc/platforms/pseries/papr_scm.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c
index f58728d5f10d..39962c905542 100644
--- a/arch/powerpc/platforms/pseries/papr_scm.c
+++ b/arch/powerpc/platforms/pseries/papr_scm.c
@@ -462,7 +462,6 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu
{
struct papr_scm_perf_stat *stat;
struct papr_scm_perf_stats *stats;
- char *statid;
int index, rc, count;
u32 available_events;
@@ -493,14 +492,12 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu
for (index = 0, stat = stats->scm_statistic, count = 0;
index < available_events; index++, ++stat) {
- statid = kzalloc(strlen(stat->stat_id) + 1, GFP_KERNEL);
- if (!statid) {
+ p->nvdimm_events_map[count] = kmemdup_nul(stat->stat_id, 8, GFP_KERNEL);
+ if (!p->nvdimm_events_map[count]) {
rc = -ENOMEM;
goto out_nvdimm_events_map;
}
- strcpy(statid, stat->stat_id);
- p->nvdimm_events_map[count] = statid;
count++;
}
p->nvdimm_events_map[count] = NULL;
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Kajol Jain <kjain@linux.ibm.com>
To: mpe@ellerman.id.au, linuxppc-dev@lists.ozlabs.org,
dan.j.williams@intel.com, vaibhav@linux.ibm.com
Cc: nvdimm@lists.linux.dev, atrajeev@linux.vnet.ibm.com,
rnsastry@linux.ibm.com, kjain@linux.ibm.com, maddy@linux.ibm.com,
disgoel@linux.vnet.ibm.com
Subject: [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE
Date: Thu, 5 May 2022 21:04:51 +0530 [thread overview]
Message-ID: <20220505153451.35503-1-kjain@linux.ibm.com> (raw)
With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform
dynamic checks for string size which can panic the kernel,
like incase of overflow detection.
In papr_scm, papr_scm_pmu_check_events function uses stat->stat_id
with string operations, to populate the nvdimm_events_map array.
Since stat_id variable is not NULL terminated, the kernel panics
with CONFIG_FORTIFY_SOURCE enabled at boot time.
Below are the logs of kernel panic:
[ 0.090221][ T1] detected buffer overflow in __fortify_strlen
[ 0.090241][ T1] ------------[ cut here ]------------
[ 0.090246][ T1] kernel BUG at lib/string_helpers.c:980!
[ 0.090253][ T1] Oops: Exception in kernel mode, sig: 5 [#1]
........
[ 0.090375][ T1] NIP [c00000000077dad0] fortify_panic+0x28/0x38
[ 0.090382][ T1] LR [c00000000077dacc] fortify_panic+0x24/0x38
[ 0.090387][ T1] Call Trace:
[ 0.090390][ T1] [c0000022d77836e0] [c00000000077dacc] fortify_panic+0x24/0x38 (unreliable)
[ 9.297707] [ T1] [c00800000deb2660] papr_scm_pmu_check_events.constprop.0+0x118/0x220 [papr_scm]
[ 9.297721] [ T1] [c00800000deb2cb0] papr_scm_probe+0x288/0x62c [papr_scm]
[ 9.297732] [ T1] [c0000000009b46a8] platform_probe+0x98/0x150
Fix this issue by using kmemdup_nul function to copy the content of
stat->stat_id directly to the nvdimm_events_map array.
Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support")
Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
---
arch/powerpc/platforms/pseries/papr_scm.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c
index f58728d5f10d..39962c905542 100644
--- a/arch/powerpc/platforms/pseries/papr_scm.c
+++ b/arch/powerpc/platforms/pseries/papr_scm.c
@@ -462,7 +462,6 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu
{
struct papr_scm_perf_stat *stat;
struct papr_scm_perf_stats *stats;
- char *statid;
int index, rc, count;
u32 available_events;
@@ -493,14 +492,12 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu
for (index = 0, stat = stats->scm_statistic, count = 0;
index < available_events; index++, ++stat) {
- statid = kzalloc(strlen(stat->stat_id) + 1, GFP_KERNEL);
- if (!statid) {
+ p->nvdimm_events_map[count] = kmemdup_nul(stat->stat_id, 8, GFP_KERNEL);
+ if (!p->nvdimm_events_map[count]) {
rc = -ENOMEM;
goto out_nvdimm_events_map;
}
- strcpy(statid, stat->stat_id);
- p->nvdimm_events_map[count] = statid;
count++;
}
p->nvdimm_events_map[count] = NULL;
--
2.31.1
next reply other threads:[~2022-05-05 15:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-05 15:34 Kajol Jain [this message]
2022-05-05 15:34 ` [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE Kajol Jain
2022-05-06 9:33 ` Vaibhav Jain
2022-05-08 11:11 ` Michael Ellerman
2022-05-08 11:11 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220505153451.35503-1-kjain@linux.ibm.com \
--to=kjain@linux.ibm.com \
--cc=atrajeev@linux.vnet.ibm.com \
--cc=dan.j.williams@intel.com \
--cc=disgoel@linux.vnet.ibm.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nvdimm@lists.linux.dev \
--cc=rnsastry@linux.ibm.com \
--cc=vaibhav@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.