mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 02:30:34 +02:00
ec5b5ad6e2
The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:
> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
>
> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+
> Call Trace:
> dump_stack+0x7c/0xc0
> print_address_description+0x6c/0x23c
> ? memchr+0x1e/0x40
> kasan_report.cold.5+0x241/0x308
> memchr+0x1e/0x40
> nr_pages_store+0x203/0xd00 [intel_th_msu]
Fix this by accounting for the comma character.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| acpi.c | ||
| core.c | ||
| debug.c | ||
| debug.h | ||
| gth.c | ||
| gth.h | ||
| intel_th.h | ||
| Kconfig | ||
| Makefile | ||
| msu.c | ||
| msu.h | ||
| pci.c | ||
| pti.c | ||
| pti.h | ||
| sth.c | ||
| sth.h | ||