Commit 96802e6b authored by Jean Delvare's avatar Jean Delvare Committed by Linus Torvalds
Browse files

kernel/params.c: fix an overflow in param_attr_show 

Function param_attr_show could overflow the buffer it is operating on.

The buffer size is PAGE_SIZE, and the string returned by
attribute->param->ops->get is generated by scnprintf(buffer, PAGE_SIZE,
...) so it could be PAGE_SIZE - 1 long, with the terminating '\0' at the
very end of the buffer.  Calling strcat(..., "\n") on this isn't safe, as
the '\0' will be replaced by '\n' (OK) and then another '\0' will be added
past the end of the buffer (not OK.)

Simply add the trailing '\n' when writing the attribute contents to the
buffer originally.  This is safe, and also faster.

Credits to Teradata for discovering this issue.

Link: http://lkml.kernel.org/r/20170928162602.60c379c7@endymion


Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
Acked-by: default avatarIngo Molnar <mingo@kernel.org>
Cc: Baoquan He <bhe@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 90ceb2a3

kernel/params.c

+7 −10
Original line number Diff line number Diff line
@@ -224,7 +224,7 @@ char *parse_args(const char *doing, 
	}								\

	int param_get_##name(char *buffer, const struct kernel_param *kp) \

	{								\

		return scnprintf(buffer, PAGE_SIZE, format,		\

		return scnprintf(buffer, PAGE_SIZE, format "\n",	\

				*((type *)kp->arg));			\

	}								\

	const struct kernel_param_ops param_ops_##name = {			\
@@ -270,7 +270,7 @@ EXPORT_SYMBOL(param_set_charp); 


int param_get_charp(char *buffer, const struct kernel_param *kp)

{

	return scnprintf(buffer, PAGE_SIZE, "%s", *((char **)kp->arg));

	return scnprintf(buffer, PAGE_SIZE, "%s\n", *((char **)kp->arg));

}

EXPORT_SYMBOL(param_get_charp);
@@ -301,7 +301,7 @@ EXPORT_SYMBOL(param_set_bool); 
int param_get_bool(char *buffer, const struct kernel_param *kp)

{

	/* Y and N chosen as being relatively non-coder friendly */

	return sprintf(buffer, "%c", *(bool *)kp->arg ? 'Y' : 'N');

	return sprintf(buffer, "%c\n", *(bool *)kp->arg ? 'Y' : 'N');

}

EXPORT_SYMBOL(param_get_bool);
@@ -360,7 +360,7 @@ EXPORT_SYMBOL(param_set_invbool); 


int param_get_invbool(char *buffer, const struct kernel_param *kp)

{

	return sprintf(buffer, "%c", (*(bool *)kp->arg) ? 'N' : 'Y');

	return sprintf(buffer, "%c\n", (*(bool *)kp->arg) ? 'N' : 'Y');

}

EXPORT_SYMBOL(param_get_invbool);
@@ -460,8 +460,9 @@ static int param_array_get(char *buffer, const struct kernel_param *kp) 
	struct kernel_param p = *kp;



	for (i = off = 0; i < (arr->num ? *arr->num : arr->max); i++) {

		/* Replace \n with comma */

		if (i)

			buffer[off++] = ',';

			buffer[off - 1] = ',';

		p.arg = arr->elem + arr->elemsize * i;

		check_kparam_locked(p.mod);

		ret = arr->ops->get(buffer + off, &p);
@@ -507,7 +508,7 @@ EXPORT_SYMBOL(param_set_copystring); 
int param_get_string(char *buffer, const struct kernel_param *kp)

{

	const struct kparam_string *kps = kp->str;

	return strlcpy(buffer, kps->string, PAGE_SIZE);

	return scnprintf(buffer, PAGE_SIZE, "%s\n", kps->string);

}

EXPORT_SYMBOL(param_get_string);
@@ -549,10 +550,6 @@ static ssize_t param_attr_show(struct module_attribute *mattr, 
	kernel_param_lock(mk->mod);

	count = attribute->param->ops->get(buf, attribute->param);

	kernel_param_unlock(mk->mod);

	if (count > 0) {

		strcat(buf, "\n");

		++count;

	}

	return count;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE