From: Kajol Jain <kjain@linux.ibm.com> To: mpe@ellerman.id.au, linuxppc-dev@lists.ozlabs.org, dan.j.williams@intel.com, vaibhav@linux.ibm.com Cc: maddy@linux.ibm.com, atrajeev@linux.vnet.ibm.com, disgoel@linux.vnet.ibm.com, kjain@linux.ibm.com, rnsastry@linux.ibm.com, nvdimm@lists.linux.dev Subject: [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE Date: Thu, 5 May 2022 21:04:51 +0530 [thread overview] Message-ID: <20220505153451.35503-1-kjain@linux.ibm.com> (raw) With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform dynamic checks for string size which can panic the kernel, like incase of overflow detection. In papr_scm, papr_scm_pmu_check_events function uses stat->stat_id with string operations, to populate the nvdimm_events_map array. Since stat_id variable is not NULL terminated, the kernel panics with CONFIG_FORTIFY_SOURCE enabled at boot time. Below are the logs of kernel panic: [ 0.090221][ T1] detected buffer overflow in __fortify_strlen [ 0.090241][ T1] ------------[ cut here ]------------ [ 0.090246][ T1] kernel BUG at lib/string_helpers.c:980! [ 0.090253][ T1] Oops: Exception in kernel mode, sig: 5 [#1] ........ [ 0.090375][ T1] NIP [c00000000077dad0] fortify_panic+0x28/0x38 [ 0.090382][ T1] LR [c00000000077dacc] fortify_panic+0x24/0x38 [ 0.090387][ T1] Call Trace: [ 0.090390][ T1] [c0000022d77836e0] [c00000000077dacc] fortify_panic+0x24/0x38 (unreliable) [ 9.297707] [ T1] [c00800000deb2660] papr_scm_pmu_check_events.constprop.0+0x118/0x220 [papr_scm] [ 9.297721] [ T1] [c00800000deb2cb0] papr_scm_probe+0x288/0x62c [papr_scm] [ 9.297732] [ T1] [c0000000009b46a8] platform_probe+0x98/0x150 Fix this issue by using kmemdup_nul function to copy the content of stat->stat_id directly to the nvdimm_events_map array. Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support") Signed-off-by: Kajol Jain <kjain@linux.ibm.com> --- arch/powerpc/platforms/pseries/papr_scm.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c index f58728d5f10d..39962c905542 100644 --- a/arch/powerpc/platforms/pseries/papr_scm.c +++ b/arch/powerpc/platforms/pseries/papr_scm.c @@ -462,7 +462,6 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu { struct papr_scm_perf_stat *stat; struct papr_scm_perf_stats *stats; - char *statid; int index, rc, count; u32 available_events; @@ -493,14 +492,12 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu for (index = 0, stat = stats->scm_statistic, count = 0; index < available_events; index++, ++stat) { - statid = kzalloc(strlen(stat->stat_id) + 1, GFP_KERNEL); - if (!statid) { + p->nvdimm_events_map[count] = kmemdup_nul(stat->stat_id, 8, GFP_KERNEL); + if (!p->nvdimm_events_map[count]) { rc = -ENOMEM; goto out_nvdimm_events_map; } - strcpy(statid, stat->stat_id); - p->nvdimm_events_map[count] = statid; count++; } p->nvdimm_events_map[count] = NULL; -- 2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Kajol Jain <kjain@linux.ibm.com> To: mpe@ellerman.id.au, linuxppc-dev@lists.ozlabs.org, dan.j.williams@intel.com, vaibhav@linux.ibm.com Cc: nvdimm@lists.linux.dev, atrajeev@linux.vnet.ibm.com, rnsastry@linux.ibm.com, kjain@linux.ibm.com, maddy@linux.ibm.com, disgoel@linux.vnet.ibm.com Subject: [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE Date: Thu, 5 May 2022 21:04:51 +0530 [thread overview] Message-ID: <20220505153451.35503-1-kjain@linux.ibm.com> (raw) With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform dynamic checks for string size which can panic the kernel, like incase of overflow detection. In papr_scm, papr_scm_pmu_check_events function uses stat->stat_id with string operations, to populate the nvdimm_events_map array. Since stat_id variable is not NULL terminated, the kernel panics with CONFIG_FORTIFY_SOURCE enabled at boot time. Below are the logs of kernel panic: [ 0.090221][ T1] detected buffer overflow in __fortify_strlen [ 0.090241][ T1] ------------[ cut here ]------------ [ 0.090246][ T1] kernel BUG at lib/string_helpers.c:980! [ 0.090253][ T1] Oops: Exception in kernel mode, sig: 5 [#1] ........ [ 0.090375][ T1] NIP [c00000000077dad0] fortify_panic+0x28/0x38 [ 0.090382][ T1] LR [c00000000077dacc] fortify_panic+0x24/0x38 [ 0.090387][ T1] Call Trace: [ 0.090390][ T1] [c0000022d77836e0] [c00000000077dacc] fortify_panic+0x24/0x38 (unreliable) [ 9.297707] [ T1] [c00800000deb2660] papr_scm_pmu_check_events.constprop.0+0x118/0x220 [papr_scm] [ 9.297721] [ T1] [c00800000deb2cb0] papr_scm_probe+0x288/0x62c [papr_scm] [ 9.297732] [ T1] [c0000000009b46a8] platform_probe+0x98/0x150 Fix this issue by using kmemdup_nul function to copy the content of stat->stat_id directly to the nvdimm_events_map array. Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support") Signed-off-by: Kajol Jain <kjain@linux.ibm.com> --- arch/powerpc/platforms/pseries/papr_scm.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c index f58728d5f10d..39962c905542 100644 --- a/arch/powerpc/platforms/pseries/papr_scm.c +++ b/arch/powerpc/platforms/pseries/papr_scm.c @@ -462,7 +462,6 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu { struct papr_scm_perf_stat *stat; struct papr_scm_perf_stats *stats; - char *statid; int index, rc, count; u32 available_events; @@ -493,14 +492,12 @@ static int papr_scm_pmu_check_events(struct papr_scm_priv *p, struct nvdimm_pmu for (index = 0, stat = stats->scm_statistic, count = 0; index < available_events; index++, ++stat) { - statid = kzalloc(strlen(stat->stat_id) + 1, GFP_KERNEL); - if (!statid) { + p->nvdimm_events_map[count] = kmemdup_nul(stat->stat_id, 8, GFP_KERNEL); + if (!p->nvdimm_events_map[count]) { rc = -ENOMEM; goto out_nvdimm_events_map; } - strcpy(statid, stat->stat_id); - p->nvdimm_events_map[count] = statid; count++; } p->nvdimm_events_map[count] = NULL; -- 2.31.1
next reply other threads:[~2022-05-05 15:35 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-05-05 15:34 Kajol Jain [this message] 2022-05-05 15:34 ` [PATCH] powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE Kajol Jain 2022-05-06 9:33 ` Vaibhav Jain 2022-05-08 11:11 ` Michael Ellerman 2022-05-08 11:11 ` Michael Ellerman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220505153451.35503-1-kjain@linux.ibm.com \ --to=kjain@linux.ibm.com \ --cc=atrajeev@linux.vnet.ibm.com \ --cc=dan.j.williams@intel.com \ --cc=disgoel@linux.vnet.ibm.com \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=maddy@linux.ibm.com \ --cc=mpe@ellerman.id.au \ --cc=nvdimm@lists.linux.dev \ --cc=rnsastry@linux.ibm.com \ --cc=vaibhav@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.