Re: [PATCH v2] ACPI: scan: Fix a Hyper-V Linux VM panic caused by buffer overflow
From: Jethro Beekman
Date: Sat Jan 09 2021 - 03:31:18 EST
On 2021-01-08 08:23, Dexuan Cui wrote:
> Linux VM on Hyper-V crashes with the latest mainline:
>
> [ 4.069624] detected buffer overflow in strcpy
> [ 4.077733] kernel BUG at lib/string.c:1149!
> ..
> [ 4.085819] RIP: 0010:fortify_panic+0xf/0x11
> ...
> [ 4.085819] Call Trace:
> [ 4.085819] acpi_device_add.cold.15+0xf2/0xfb
> [ 4.085819] acpi_add_single_object+0x2a6/0x690
> [ 4.085819] acpi_bus_check_add+0xc6/0x280
> [ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa
> [ 4.085819] acpi_walk_namespace+0x9a/0xc2
> [ 4.085819] acpi_bus_scan+0x78/0x90
> [ 4.085819] acpi_scan_init+0xfa/0x248
> [ 4.085819] acpi_init+0x2c1/0x321
> [ 4.085819] do_one_initcall+0x44/0x1d0
> [ 4.085819] kernel_init_freeable+0x1ab/0x1f4
>
> This is because of the recent buffer overflow detection in the
> commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in fortified string functions")
>
> Here acpi_device_bus_id->bus_id can only hold 14 characters, while the
> the acpi_device_hid(device) returns a 22-char string
> "HYPER_V_GEN_COUNTER_V1".
>
> Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a
> string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8
> chars.
>
> The field bus_id in struct acpi_device_bus_id was originally defined as
> char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the
> commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI devices")
>
> Fix the issue by changing the field bus_id to const char *, and use
> kstrdup_const() to initialize it.
>
> Signed-off-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=210449
Tested-By: Jethro Beekman <jethro@xxxxxxxxxxxx>
--
Jethro Beekman | Fortanix
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature