[thirdparty/kernel/stable-queue.git] / releases / 4.4.170 / intel_th-msu-fix-an-off-by-one-in-attribute-store.patch

From ec5b5ad6e272d8d6b92d1007f79574919862a2d2 Mon Sep 17 00:00:00 2001
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date: Wed, 19 Dec 2018 17:19:22 +0200
Subject: intel_th: msu: Fix an off-by-one in attribute store

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream.

The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:

> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
>
> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
> Call Trace:
>  dump_stack+0x7c/0xc0
>  print_address_description+0x6c/0x23c
>  ? memchr+0x1e/0x40
>  kasan_report.cold.5+0x241/0x308
>  memchr+0x1e/0x40
>  nr_pages_store+0x203/0xd00 [intel_th_msu]

Fix this by accounting for the comma character.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/msu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/hwtracing/intel_th/msu.c
+++ b/drivers/hwtracing/intel_th/msu.c
@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struc
 		if (!end)
 			break;
 
-		len -= end - p;
+		/* consume the number and the following comma, hence +1 */
+		len -= end - p + 1;
 		p = end + 1;
 	} while (len);
Commit	Line	Data
0a67671d GKH	1	From ec5b5ad6e272d8d6b92d1007f79574919862a2d2 Mon Sep 17 00:00:00 2001
	2	From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
	3	Date: Wed, 19 Dec 2018 17:19:22 +0200
	4	Subject: intel_th: msu: Fix an off-by-one in attribute store
	5
	6	From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
	7
	8	commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream.
	9
	10	The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
	11	list of window sizes, passed from userspace. However, there is a bug in
	12	the string parsing logic wherein it doesn't exclude the comma character
	13	from the range of characters as it consumes them. This leads to an
	14	out-of-bounds access given a sufficiently long list. For example:
	15
	16	> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
	17	> ==================================================================
	18	> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
	19	> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
	20	>
	21	> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+
	22	> Call Trace:
	23	> dump_stack+0x7c/0xc0
	24	> print_address_description+0x6c/0x23c
	25	> ? memchr+0x1e/0x40
	26	> kasan_report.cold.5+0x241/0x308
	27	> memchr+0x1e/0x40
	28	> nr_pages_store+0x203/0xd00 [intel_th_msu]
	29
	30	Fix this by accounting for the comma character.
	31
	32	Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
	33	Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
	34	Cc: stable@vger.kernel.org # v4.4+
	35	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	36
	37	---
	38	drivers/hwtracing/intel_th/msu.c \| 3 ++-
	39	1 file changed, 2 insertions(+), 1 deletion(-)
	40
	41	--- a/drivers/hwtracing/intel_th/msu.c
	42	+++ b/drivers/hwtracing/intel_th/msu.c
	43	@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struc
	44	if (!end)
	45	break;
	46
	47	- len -= end - p;
	48	+ /* consume the number and the following comma, hence +1 */
	49	+ len -= end - p + 1;
	50	p = end + 1;
	51	} while (len);
	52