Re: [PATCH] modules: Fix corruption of /proc/kallsyms
From: Adrian Hunter
Date: Mon Jul 11 2022 - 03:48:26 EST
On 2/07/22 00:40, Luis Chamberlain wrote:
> On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
>> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
>> file") changed from using strlcpy() to using strscpy() which created a
>> buffer overflow. That happened because:
>> 1) an incorrect value was passed as the buffer length
>> 2) strscpy() (unlike strlcpy()) may copy beyond the length of the
>> input string when copying word-by-word.
>> The assumption was that because it was already known that the strings
>> being copied would fit in the space available, it was not necessary
>> to correctly set the buffer length. strscpy() breaks that assumption
>> because although it will not touch bytes beyond the given buffer length
>> it may write bytes beyond the input string length when writing
>> The result of the buffer overflow is to corrupt the symbol type
>> information that follows. e.g.
>> $ sudo cat -v /proc/kallsyms | grep '\^' | head
>> ffffffffc0615000 ^@ rfcomm_session_get [rfcomm]
>> ffffffffc061c060 ^@ session_list [rfcomm]
>> ffffffffc06150d0 ^@ rfcomm_send_frame [rfcomm]
>> ffffffffc0615130 ^@ rfcomm_make_uih [rfcomm]
>> ffffffffc07ed58d ^@ bnep_exit [bnep]
>> ffffffffc07ec000 ^@ bnep_rx_control [bnep]
>> ffffffffc07ec1a0 ^@ bnep_session [bnep]
>> ffffffffc07e7000 ^@ input_leds_event [input_leds]
>> ffffffffc07e9000 ^@ input_leds_handler [input_leds]
>> ffffffffc07e7010 ^@ input_leds_disconnect [input_leds]
>> Notably, the null bytes (represented above by ^@) can confuse tools.
>> Fix by correcting the buffer length.
>> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
>> Signed-off-by: Adrian Hunter <adrian.hunter@xxxxxxxxx>
> Queued up thanks!
Thanks for processing this.
I notice it is -rc6 and I do not see it in Linus' tree. This is a fix
for a regression, shouldn't it be included in 5.19?