1. 19 Dec, 2018 2 commits
    • Alexander Shishkin's avatar
      intel_th: msu: Fix an off-by-one in attribute store · ec5b5ad6
      Alexander Shishkin authored
      The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
      list of window sizes, passed from userspace. However, there is a bug in
      the string parsing logic wherein it doesn't exclude the comma character
      from the range of characters as it consumes them. This leads to an
      out-of-bounds access given a sufficiently long list. For example:
      
      > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
      > ==================================================================
      > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
      > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
      >
      > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
      > Call Trace:
      >  dump_stack+0x7c/0xc0
      >  print_address_description+0x6c/0x23c
      >  ? memchr+0x1e/0x40
      >  kasan_report.cold.5+0x241/0x308
      >  memchr+0x1e/0x40
      >  nr_pages_store+0x203/0xd00 [intel_th_msu]
      
      Fix this by accounting for the comma character.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: ba82664c ("intel_th: Add Memory Storage Unit driver")
      Cc: stable@vger.kernel.org # v4.4+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec5b5ad6
    • Alexander Shishkin's avatar
      stm class: Fix a module refcount leak in policy creation error path · c18614a1
      Alexander Shishkin authored
      Commit c7fd62bc ("stm class: Introduce framing protocol drivers")
      adds a bug into the error path of policy creation, that would do a
      module_put() on a wrong module, if one tried to create a policy for
      an stm device which already has a policy, using a different protocol.
      IOW,
      
      | mkdir /config/stp-policy/dummy_stm.0:p_basic.test
      | mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # puts "p_basic"
      | mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # "p_basic" -> -1
      
      throws:
      
      | general protection fault: 0000 [#1] SMP PTI
      | CPU: 3 PID: 2887 Comm: mkdir
      | RIP: 0010:module_put.part.31+0xe/0x90
      | Call Trace:
      |  module_put+0x13/0x20
      |  stm_put_protocol+0x11/0x20 [stm_core]
      |  stp_policy_make+0xf1/0x210 [stm_core]
      |  ? __kmalloc+0x183/0x220
      |  ? configfs_mkdir+0x10d/0x4c0
      |  configfs_mkdir+0x169/0x4c0
      |  vfs_mkdir+0x108/0x1c0
      |  do_mkdirat+0xe8/0x110
      |  __x64_sys_mkdir+0x1b/0x20
      |  do_syscall_64+0x5a/0x140
      |  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Correct this sad mistake by calling calling 'put' on the correct
      reference, which happens to match another error path in the same
      function, so we consolidate the two at the same time.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: c7fd62bc ("stm class: Introduce framing protocol drivers")
      Reported-by: default avatarAmmy Yi <ammy.yi@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c18614a1
  2. 06 Dec, 2018 6 commits
  3. 11 Oct, 2018 11 commits
  4. 25 Sep, 2018 21 commits