From nobody Sat Apr 11 14:30:00 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 371CBC6FD1A for ; Tue, 7 Mar 2023 13:59:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230004AbjCGN7Y (ORCPT ); Tue, 7 Mar 2023 08:59:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229947AbjCGN7W (ORCPT ); Tue, 7 Mar 2023 08:59:22 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8BD676F7C for ; Tue, 7 Mar 2023 05:59:16 -0800 (PST) Received: from kwepemi500009.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4PWGHL6gQHzSkMV; Tue, 7 Mar 2023 21:18:54 +0800 (CST) Received: from huawei.com (10.67.175.85) by kwepemi500009.china.huawei.com (7.221.188.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Tue, 7 Mar 2023 21:21:57 +0800 From: Xia Fukun To: , CC: , Subject: [PATCH v2] kobject: Fix global-out-of-bounds in kobject_action_type() Date: Tue, 7 Mar 2023 21:19:55 +0800 Message-ID: <20230307131955.90524-1-xiafukun@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-Originating-IP: [10.67.175.85] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemi500009.china.huawei.com (7.221.188.199) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The following c language code can trigger KASAN's global variable out-of-bounds access error in kobject_action_type(): int main() { int fd; char *filename =3D "/sys/block/ram12/uevent"; char str[86] =3D "offline"; int len =3D 86; fd =3D open(filename, O_WRONLY); if (fd =3D=3D -1) { printf("open"); exit(1); } if (write(fd, str, len) =3D=3D -1) { printf("write"); exit(1); } close(fd); return 0; } Function kobject_action_type() receives the input parameters buf and count, where count is the length of the string buf. In the use case we provided, count is 86, the count_first is 85. Buf points to a string with a length of 86, and its first seven characters are "offline". In line 87 of the code, kobject_actions[action] is the string "offline" with the length of 7,an out-of-boundary access will appear: kobject_actions[action][85]. Modify the judgment logic in line 87. If the length of the string kobject_actions[action] is greater than count_first(e.g. buf is "off", count is 3), continue the loop. Otherwise, the match is considered successful. This change means that our test case will be successfully parsed as an offline event and no out-of-bounds access error will occur. Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic u= events") Signed-off-by: Xia Fukun --- lib/kobject_uevent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 7c44b7ae4c5c..474f996895c7 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -84,7 +84,7 @@ static int kobject_action_type(const char *buf, size_t co= unt, for (action =3D 0; action < ARRAY_SIZE(kobject_actions); action++) { if (strncmp(kobject_actions[action], buf, count_first) !=3D 0) continue; - if (kobject_actions[action][count_first] !=3D '\0') + if (strlen(kobject_actions[action]) > count_first) continue; if (args) *args =3D args_start; --=20 2.17.1