diff mbox series

[5.17-rc1,v2] eeprom: at25: Restore missing allocation

Message ID 20220118182003.3385019-1-keescook@chromium.org (mailing list archive)
State Mainlined
Commit a6501e4b380faee6bbf41bb2f833977c7ac6491a
Headers show
Series [5.17-rc1,v2] eeprom: at25: Restore missing allocation | expand

Commit Message

Kees Cook Jan. 18, 2022, 6:20 p.m. UTC
The at25 driver regressed in v5.17-rc1 due to a broken conflict
resolution: the allocation of the object was accidentally removed. Restore
it.

This was found when building under CONFIG_FORTIFY_SOURCE=y and
-Warray-bounds, which complained about strncpy() being used against an
empty object:

In function 'strncpy',
    inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2:
./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
   48 | #define __underlying_strncpy    __builtin_strncpy
      |                                 ^
./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
   59 |         return __underlying_strncpy(p, q, size);
      |                ^~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
    inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2,
    inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10:
./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
   48 | #define __underlying_strncpy    __builtin_strncpy
      |                                 ^
./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
   59 |         return __underlying_strncpy(p, q, size);
      |                ^~~~~~~~~~~~~~~~~~~~

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Prchal <jiri.prchal@aksignal.cz>
Fixes: af40d16042d6 ("Merge v5.15-rc5 into char-misc-next")
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/lkml/CAHp75VdqK7h63fz-cPaQ2MGaVdaR2f1Fb5kKCZidUG3RwLsAVA@mail.gmail.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v1: https://lore.kernel.org/lkml/20220107232409.1331599-1-keescook@chromium.org/
v2:
 - remove strscpy() replacements (unrelated)
 - use sizeof(*at25) (Andy)
---
 drivers/misc/eeprom/at25.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Geert Uytterhoeven Jan. 25, 2022, 2:20 p.m. UTC | #1
Hi Kees,

Thanks for your patch!

On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote:
> The at25 driver regressed in v5.17-rc1 due to a broken conflict
> resolution: the allocation of the object was accidentally removed. Restore
> it.
>
> This was found when building under CONFIG_FORTIFY_SOURCE=y and
> -Warray-bounds, which complained about strncpy() being used against an
> empty object:
>
> In function 'strncpy',
>     inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2:
> ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
>    48 | #define __underlying_strncpy    __builtin_strncpy
>       |                                 ^
> ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
>    59 |         return __underlying_strncpy(p, q, size);
>       |                ^~~~~~~~~~~~~~~~~~~~
> In function 'strncpy',
>     inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2,
>     inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10:
> ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
>    48 | #define __underlying_strncpy    __builtin_strncpy
>       |                                 ^
> ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
>    59 |         return __underlying_strncpy(p, q, size);
>       |                ^~~~~~~~~~~~~~~~~~~~

On real hardware:

    Unable to handle kernel access to user memory outside uaccess
routines at virtual address 0000000000000028
    ...
    pc : __mutex_init+0x20/0x68
    lr : at25_probe+0x8c/0x4d8


> Signed-off-by: Kees Cook <keescook@chromium.org>

Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Geert Uytterhoeven Jan. 25, 2022, 3:25 p.m. UTC | #2
On Tue, Jan 25, 2022 at 3:20 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote:
> > The at25 driver regressed in v5.17-rc1 due to a broken conflict
> > resolution: the allocation of the object was accidentally removed. Restore
> > it.
> >
> > This was found when building under CONFIG_FORTIFY_SOURCE=y and
> > -Warray-bounds, which complained about strncpy() being used against an
> > empty object:
> >
> > In function 'strncpy',
> >     inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2:
> > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
> >    48 | #define __underlying_strncpy    __builtin_strncpy
> >       |                                 ^
> > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
> >    59 |         return __underlying_strncpy(p, q, size);
> >       |                ^~~~~~~~~~~~~~~~~~~~
> > In function 'strncpy',
> >     inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2,
> >     inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10:
> > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
> >    48 | #define __underlying_strncpy    __builtin_strncpy
> >       |                                 ^
> > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
> >    59 |         return __underlying_strncpy(p, q, size);
> >       |                ^~~~~~~~~~~~~~~~~~~~
>
> On real hardware:
>
>     Unable to handle kernel access to user memory outside uaccess
> routines at virtual address 0000000000000028
>     ...
>     pc : __mutex_init+0x20/0x68
>     lr : at25_probe+0x8c/0x4d8

To avoid confusion: of course the crash happens only without Kees'
patch.  I just wanted to point out what happens when you boot on
real hardware, as it might be worthwhile to add that to the commit
description.

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Kees Cook Jan. 25, 2022, 5:43 p.m. UTC | #3
On Tue, Jan 25, 2022 at 04:25:39PM +0100, Geert Uytterhoeven wrote:
> On Tue, Jan 25, 2022 at 3:20 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote:
> > > The at25 driver regressed in v5.17-rc1 due to a broken conflict
> > > resolution: the allocation of the object was accidentally removed. Restore
> > > it.
> > >
> > > This was found when building under CONFIG_FORTIFY_SOURCE=y and
> > > -Warray-bounds, which complained about strncpy() being used against an
> > > empty object:
> > >
> > > In function 'strncpy',
> > >     inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2:
> > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
> > >    48 | #define __underlying_strncpy    __builtin_strncpy
> > >       |                                 ^
> > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
> > >    59 |         return __underlying_strncpy(p, q, size);
> > >       |                ^~~~~~~~~~~~~~~~~~~~
> > > In function 'strncpy',
> > >     inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2,
> > >     inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10:
> > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds]
> > >    48 | #define __underlying_strncpy    __builtin_strncpy
> > >       |                                 ^
> > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy'
> > >    59 |         return __underlying_strncpy(p, q, size);
> > >       |                ^~~~~~~~~~~~~~~~~~~~
> >
> > On real hardware:
> >
> >     Unable to handle kernel access to user memory outside uaccess
> > routines at virtual address 0000000000000028
> >     ...
> >     pc : __mutex_init+0x20/0x68
> >     lr : at25_probe+0x8c/0x4d8
> 
> To avoid confusion: of course the crash happens only without Kees'
> patch.  I just wanted to point out what happens when you boot on
> real hardware, as it might be worthwhile to add that to the commit
> description.

Okay, whew. :)
diff mbox series

Patch

diff --git a/drivers/misc/eeprom/at25.c b/drivers/misc/eeprom/at25.c
index c3305bdda69c..bee727ed98db 100644
--- a/drivers/misc/eeprom/at25.c
+++ b/drivers/misc/eeprom/at25.c
@@ -440,6 +440,10 @@  static int at25_probe(struct spi_device *spi)
 		return -ENXIO;
 	}
 
+	at25 = devm_kzalloc(&spi->dev, sizeof(*at25), GFP_KERNEL);
+	if (!at25)
+		return -ENOMEM;
+
 	mutex_init(&at25->lock);
 	at25->spi = spi;
 	spi_set_drvdata(spi, at25);