kernel_optimize_test/drivers/tty
Macpaul Lin dada6a43b0 kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."

[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&]                                       ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------

After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.

Signed-off-by: Macpaul Lin <macpaul@gmail.com>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-06 15:59:07 +01:00
..
hvc tty: hvc: hvc_write() fix break condition 2018-09-10 18:04:31 +02:00
ipwireless ipwireless: switch to ->[sg]et_serial() 2018-10-13 00:50:31 -04:00
serdev serdev: add dev_pm_domain_attach|detach() 2018-07-15 12:23:53 +02:00
serial kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() 2018-12-06 15:59:07 +01:00
vt TTY/Serial fixes for 4.20-rc2 2018-11-10 13:32:14 -06:00
amiserial.c kill TIOCSERGSTRUCT 2018-10-13 00:50:53 -04:00
cyclades.c cyclades: switch to ->[sg]et_serial() 2018-10-13 00:50:30 -04:00
ehv_bytechan.c tty: Convert to using %pOFn instead of device_node.name 2018-09-18 16:07:25 +02:00
goldfish.c headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
isicom.c isicom: switch to ->[sg]et_serial() 2018-10-13 00:50:31 -04:00
Kconfig
Makefile
mips_ejtag_fdc.c
moxa.c moxa: switch to ->[sg]et_serial() 2018-10-13 00:50:32 -04:00
moxa.h
mxser.c mxser: switch to ->[sg]et_serial() 2018-10-13 00:50:32 -04:00
mxser.h
n_gsm.c change semantics of ldisc ->compat_ioctl() 2018-10-13 00:50:53 -04:00
n_hdlc.c
n_null.c
n_r3964.c change semantics of ldisc ->compat_ioctl() 2018-10-13 00:50:53 -04:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c tty: wipe buffer if not echoing data 2018-10-11 19:50:00 +02:00
nozomi.c
pty.c pty: fix compat ioctls 2018-10-13 00:50:51 -04:00
rocket_int.h
rocket.c tty: rocket: Fix possible buffer overwrite on register_PCI 2018-08-02 10:11:32 +02:00
rocket.h
synclink_gt.c synclink_gt(): fix compat_ioctl() 2018-10-13 00:50:52 -04:00
synclink.c synclink: reduce pointless checks in ->ioctl() 2018-10-13 00:50:43 -04:00
synclinkmp.c synclink: reduce pointless checks in ->ioctl() 2018-10-13 00:50:43 -04:00
sysrq.c signal: send_sig_all no longer needs SEND_SIG_FORCED 2018-09-11 21:19:07 +02:00
tty_audit.c
tty_baudrate.c termios, tty/tty_baudrate.c: fix buffer overrun 2018-11-08 03:36:45 -08:00
tty_buffer.c tty: wipe buffer. 2018-10-11 19:50:00 +02:00
tty_io.c TTY/Serial patches for 4.20-rc1 2018-10-29 10:42:20 -07:00
tty_ioctl.c move compat handling of tty ioctls to tty_compat_ioctl() 2018-09-14 11:12:17 -04:00
tty_jobctrl.c
tty_ldisc.c
tty_ldsem.c atomic/tty: Fix up atomic abuse in ldsem 2018-06-28 21:07:55 +09:00
tty_mutex.c
tty_port.c tty: do not set TTY_IO_ERROR flag if console port 2018-11-27 09:58:11 +01:00
vcc.c