[PATCH] net: rfkill: Add filename varidity test at rfkill_alloc().

From: Tetsuo Handa
Date: Mon May 07 2018 - 02:58:37 EST

Next message: Masahiro Yamada: "Re: [RFCv2 PATCH 0/3] Salted build ids via linker sections"
Previous message: Bharat Kumar Gogada: "RE: NVMe Poll CQ on timeout"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

syzbot is hitting WARN() at kobject_uevent_env() [1].
This is because the test case is requesting too long name.
Since the name is used as part of pathname under /sys/devices/virtual/ ,
this name parameter must obey the limitations of a filename.
Fix this by applying name validity test to rfkill_alloc().

[1] https://syzkaller.appspot.com/bug?id=c1e1ab1d042b637ee9e25c64b107d51630b9d9ec

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Reported-by: syzbot <syzbot+230d9e642a85d3fec29c@xxxxxxxxxxxxxxxxxxxxxxxxx>
Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
---
net/rfkill/core.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 59d0eb9..d8beebc 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -933,6 +933,10 @@ struct rfkill * __must_check rfkill_alloc(const char *name,
if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
return NULL;

+ if (strlen(name) > NAME_MAX || strchr(name, '/') ||
+ !strcmp(name, ".") || !strcmp(name, ".."))
+ return NULL;
+
rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
if (!rfkill)
return NULL;
--
1.8.3.1

Next message: Masahiro Yamada: "Re: [RFCv2 PATCH 0/3] Salted build ids via linker sections"
Previous message: Bharat Kumar Gogada: "RE: NVMe Poll CQ on timeout"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]