redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/block
History
Minchan Kim 0bc9f5d14a drivers/block/zram/zram_drv.c: fix idle/writeback string compare 
Makoto report a below KASAN error: zram does out-of-bounds read.  Because
strscpy copies from source up to count bytes unconditionally.  It could
cause out-of-bounds read on next object in slab.

To prevent it, use strlcpy which checks source's length automatically.

   BUG: KASAN: slab-out-of-bounds in strscpy+0x68/0x154
   Read of size 8 at addr ffffffc0c3495a00 by task system_server/1314
   ..
   Call trace:
     strscpy+0x68/0x154
     idle_store+0xc4/0x34c
     dev_attr_store+0x50/0x6c
     sysfs_kf_write+0x98/0xb4
     kernfs_fop_write+0x198/0x260
     __vfs_write+0x10c/0x338
     vfs_write+0x114/0x238
     SyS_write+0xc8/0x168
     __sys_trace_return+0x0/0x4

   Allocated by task 1314:
    __kmalloc+0x280/0x318
    kernfs_fop_write+0xac/0x260
    __vfs_write+0x10c/0x338
    vfs_write+0x114/0x238
    SyS_write+0xc8/0x168
    __sys_trace_return+0x0/0x4

   Freed by task 2855:
    kfree+0x138/0x630
    kernfs_put_open_node+0x10c/0x124
    kernfs_fop_release+0xd8/0x114
    __fput+0x130/0x2a4
    ____fput+0x1c/0x28
    task_work_run+0x16c/0x1c8
    do_notify_resume+0x2bc/0x107c
    work_pending+0x8/0x10

   The buggy address belongs to the object at ffffffc0c3495a00
    which belongs to the cache kmalloc-128 of size 128
   The buggy address is located 0 bytes inside of
    128-byte region [ffffffc0c3495a00, ffffffc0c3495a80)
   The buggy address belongs to the page:
   page:ffffffbf030d2500 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
   flags: 0x4000000000010200(slab|head)
   page dumped because: kasan: bad access detected

   Memory state around the buggy address:
    ffffffc0c3495900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ffffffc0c3495980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   >ffffffc0c3495a00: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
    ffffffc0c3495a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ffffffc0c3495b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Link: http://lkml.kernel.org/r/20190319231911.145968-1-minchan@kernel.org
Cc: <stable@vger.kernel.org>	[5.0]
Signed-off-by: Minchan Kim <minchan@kernel.org>
Reported-by: Makoto Wu <makotowu@google.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 		2019-03-29 10:01:37 -07:00
..
aoe aoe: add __exit annotation 2018-12-16 09:01:38 -07:00
drbd for-4.21/block-20190102 2019-01-02 18:49:58 -08:00
mtip32xx for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
paride paride/pcd: cleanup queues when detection fails 2019-03-18 08:10:32 -06:00
rsxx pci-v4.20-changes 2018-10-25 06:50:48 -07:00
xen-blkback xen/blkback: rework connect_ring() to avoid inconsistent xenstore 'ring-page-order' set by malicious blkfront 2019-02-24 10:17:56 -05:00
zram drivers/block/zram/zram_drv.c: fix idle/writeback string compare 2019-03-29 10:01:37 -07:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
amiflop.c block/amiflop: Don't log error message on invalid ioctl 2018-12-31 10:19:11 -07:00
ataflop.c ataflop: implement mq_ops->commit_rqs() hook 2018-11-29 10:12:27 -07:00
brd.c block: brd: associate with queue until adding disk 2018-11-01 19:59:51 -06:00
cryptoloop.c block: cryptoloop: Remove VLA usage of skcipher 2018-09-28 12:46:07 +08:00
floppy.c for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
loop.c loop: access lo_backing_file only when the loop device is Lo_bound 2019-03-18 08:20:53 -06:00
loop.h block/loop: Use global lock for ioctl() operation. 2018-11-08 06:30:11 -07:00
nbd.c nbd: propagate genlmsg_reply return code 2019-02-28 14:06:37 -07:00
null_blk.h null_blk: add zoned config support information 2019-01-06 10:58:27 -07:00
null_blk_main.c null_blk: fix checking for REQ_FUA 2019-02-28 14:03:03 -07:00
null_blk_zoned.c null_blk: Add conventional zone configuration for zoned support 2018-11-07 13:41:50 -07:00
pktcdvd.c pktcdvd: remove queue_lock around blk_queue_max_hw_sectors 2018-11-16 09:16:59 -07:00
ps3disk.c ps3disk: convert to blk-mq 2018-10-15 20:07:56 -06:00
ps3vram.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
rbd.c rbd: drop wait_for_latest_osdmap() 2019-03-20 16:27:40 +01:00
rbd_types.h rbd: RBD_V{1,2}_DATA_FORMAT macros 2017-02-20 12:16:15 +01:00
skd_main.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
skd_s1120.h skd: Use __packed only when needed 2017-08-18 08:45:29 -06:00
sunvdc.c block: sunvdc: don't run hw queue synchronously from irq context 2019-01-03 08:21:47 -07:00
swim.c swim: convert to blk-mq 2018-10-16 09:49:18 -06:00
swim3.c block/swim3: Fix regression on PowerBook G3 2018-12-31 10:19:19 -07:00
swim_asm.S
sx8.c sx8: use a per-host tag_set 2018-11-09 08:14:14 -07:00
umem.c block: remove the lock argument to blk_alloc_queue_node 2018-11-15 12:13:35 -07:00
umem.h
virtio_blk.c virtio-blk: Consider virtio_max_dma_size() for maximum segment size 2019-03-06 11:19:26 -05:00
xen-blkfront.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
xsysace.c xsysace: convert to blk-mq 2018-10-15 20:08:24 -06:00
z2ram.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00