• Alexander Shishkin's avatar
    intel_th: msu: Fix an off-by-one in attribute store · ec5b5ad6
    Alexander Shishkin authored
    The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
    list of window sizes, passed from userspace. However, there is a bug in
    the string parsing logic wherein it doesn't exclude the comma character
    from the range of characters as it consumes them. This leads to an
    out-of-bounds access given a sufficiently long list. For example:
    
    > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
    > ==================================================================
    > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
    > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
    >
    > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
    > Call Trace:
    >  dump_stack+0x7c/0xc0
    >  print_address_description+0x6c/0x23c
    >  ? memchr+0x1e/0x40
    >  kasan_report.cold.5+0x241/0x308
    >  memchr+0x1e/0x40
    >  nr_pages_store+0x203/0xd00 [intel_th_msu]
    
    Fix this by accounting for the comma character.
    Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
    Fixes: ba82664c ("intel_th: Add Memory Storage Unit driver")
    Cc: stable@vger.kernel.org # v4.4+
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    ec5b5ad6
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
acpi.c Loading commit data...
core.c Loading commit data...
debug.c Loading commit data...
debug.h Loading commit data...
gth.c Loading commit data...
gth.h Loading commit data...
intel_th.h Loading commit data...
msu.c Loading commit data...
msu.h Loading commit data...
pci.c Loading commit data...
pti.c Loading commit data...
pti.h Loading commit data...
sth.c Loading commit data...
sth.h Loading commit data...