| Message ID | 20220118182003.3385019-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | a6501e4b380faee6bbf41bb2f833977c7ac6491a |
| Headers | show |
| Series | [5.17-rc1,v2] eeprom: at25: Restore missing allocation | expand |
Hi Kees, Thanks for your patch! On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote: > The at25 driver regressed in v5.17-rc1 due to a broken conflict > resolution: the allocation of the object was accidentally removed. Restore > it. > > This was found when building under CONFIG_FORTIFY_SOURCE=y and > -Warray-bounds, which complained about strncpy() being used against an > empty object: > > In function 'strncpy', > inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2: > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > 48 | #define __underlying_strncpy __builtin_strncpy > | ^ > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > 59 | return __underlying_strncpy(p, q, size); > | ^~~~~~~~~~~~~~~~~~~~ > In function 'strncpy', > inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2, > inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10: > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > 48 | #define __underlying_strncpy __builtin_strncpy > | ^ > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > 59 | return __underlying_strncpy(p, q, size); > | ^~~~~~~~~~~~~~~~~~~~ On real hardware: Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000028 ... pc : __mutex_init+0x20/0x68 lr : at25_probe+0x8c/0x4d8 > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Tested-by: Geert Uytterhoeven <geert+renesas@glider.be> Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
On Tue, Jan 25, 2022 at 3:20 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote: > On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote: > > The at25 driver regressed in v5.17-rc1 due to a broken conflict > > resolution: the allocation of the object was accidentally removed. Restore > > it. > > > > This was found when building under CONFIG_FORTIFY_SOURCE=y and > > -Warray-bounds, which complained about strncpy() being used against an > > empty object: > > > > In function 'strncpy', > > inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2: > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > > 48 | #define __underlying_strncpy __builtin_strncpy > > | ^ > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > > 59 | return __underlying_strncpy(p, q, size); > > | ^~~~~~~~~~~~~~~~~~~~ > > In function 'strncpy', > > inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2, > > inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10: > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > > 48 | #define __underlying_strncpy __builtin_strncpy > > | ^ > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > > 59 | return __underlying_strncpy(p, q, size); > > | ^~~~~~~~~~~~~~~~~~~~ > > On real hardware: > > Unable to handle kernel access to user memory outside uaccess > routines at virtual address 0000000000000028 > ... > pc : __mutex_init+0x20/0x68 > lr : at25_probe+0x8c/0x4d8 To avoid confusion: of course the crash happens only without Kees' patch. I just wanted to point out what happens when you boot on real hardware, as it might be worthwhile to add that to the commit description. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
On Tue, Jan 25, 2022 at 04:25:39PM +0100, Geert Uytterhoeven wrote: > On Tue, Jan 25, 2022 at 3:20 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote: > > On Fri, Jan 21, 2022 at 12:33 AM Kees Cook <keescook@chromium.org> wrote: > > > The at25 driver regressed in v5.17-rc1 due to a broken conflict > > > resolution: the allocation of the object was accidentally removed. Restore > > > it. > > > > > > This was found when building under CONFIG_FORTIFY_SOURCE=y and > > > -Warray-bounds, which complained about strncpy() being used against an > > > empty object: > > > > > > In function 'strncpy', > > > inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2: > > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > > > 48 | #define __underlying_strncpy __builtin_strncpy > > > | ^ > > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > > > 59 | return __underlying_strncpy(p, q, size); > > > | ^~~~~~~~~~~~~~~~~~~~ > > > In function 'strncpy', > > > inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2, > > > inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10: > > > ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] > > > 48 | #define __underlying_strncpy __builtin_strncpy > > > | ^ > > > ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' > > > 59 | return __underlying_strncpy(p, q, size); > > > | ^~~~~~~~~~~~~~~~~~~~ > > > > On real hardware: > > > > Unable to handle kernel access to user memory outside uaccess > > routines at virtual address 0000000000000028 > > ... > > pc : __mutex_init+0x20/0x68 > > lr : at25_probe+0x8c/0x4d8 > > To avoid confusion: of course the crash happens only without Kees' > patch. I just wanted to point out what happens when you boot on > real hardware, as it might be worthwhile to add that to the commit > description. Okay, whew. :)
diff --git a/drivers/misc/eeprom/at25.c b/drivers/misc/eeprom/at25.c index c3305bdda69c..bee727ed98db 100644 --- a/drivers/misc/eeprom/at25.c +++ b/drivers/misc/eeprom/at25.c @@ -440,6 +440,10 @@ static int at25_probe(struct spi_device *spi) return -ENXIO; } + at25 = devm_kzalloc(&spi->dev, sizeof(*at25), GFP_KERNEL); + if (!at25) + return -ENOMEM; + mutex_init(&at25->lock); at25->spi = spi; spi_set_drvdata(spi, at25);
The at25 driver regressed in v5.17-rc1 due to a broken conflict resolution: the allocation of the object was accidentally removed. Restore it. This was found when building under CONFIG_FORTIFY_SOURCE=y and -Warray-bounds, which complained about strncpy() being used against an empty object: In function 'strncpy', inlined from 'at25_fw_to_chip.constprop' at drivers/misc/eeprom/at25.c:312:2: ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] 48 | #define __underlying_strncpy __builtin_strncpy | ^ ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' 59 | return __underlying_strncpy(p, q, size); | ^~~~~~~~~~~~~~~~~~~~ In function 'strncpy', inlined from 'at25_fram_to_chip' at drivers/misc/eeprom/at25.c:373:2, inlined from 'at25_probe' at drivers/misc/eeprom/at25.c:453:10: ./include/linux/fortify-string.h:48:33: warning: '__builtin_strncpy' offset [0, 9] is out of the bounds [0, 0] [-Warray-bounds] 48 | #define __underlying_strncpy __builtin_strncpy | ^ ./include/linux/fortify-string.h:59:16: note: in expansion of macro '__underlying_strncpy' 59 | return __underlying_strncpy(p, q, size); | ^~~~~~~~~~~~~~~~~~~~ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Jiri Prchal <jiri.prchal@aksignal.cz> Fixes: af40d16042d6 ("Merge v5.15-rc5 into char-misc-next") Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Link: https://lore.kernel.org/lkml/CAHp75VdqK7h63fz-cPaQ2MGaVdaR2f1Fb5kKCZidUG3RwLsAVA@mail.gmail.com/ Signed-off-by: Kees Cook <keescook@chromium.org> --- v1: https://lore.kernel.org/lkml/20220107232409.1331599-1-keescook@chromium.org/ v2: - remove strscpy() replacements (unrelated) - use sizeof(*at25) (Andy) --- drivers/misc/eeprom/at25.c | 4 ++++ 1 file changed, 4 insertions(+)