| Message ID | 20200609024643.318590-2-benjamin.romer@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2019-19462 | expand |
On 09.06.20 04:46, Benjamin M Romer wrote: > From: Daniel Axtens <dja@axtens.net> > > alloc_percpu() may return NULL, which means chan->buf may be set to NULL. > In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an > invalid pointer: > > BUG: Unable to handle kernel data access at 0x7dae0000 > Faulting instruction address: 0xc0000000003f3fec > ... > NIP relay_open+0x29c/0x600 > LR relay_open+0x270/0x600 > Call Trace: > relay_open+0x264/0x600 (unreliable) > __blk_trace_setup+0x254/0x600 > blk_trace_setup+0x68/0xa0 > sg_ioctl+0x7bc/0x2e80 > do_vfs_ioctl+0x13c/0x1300 > ksys_ioctl+0x94/0x130 > sys_ioctl+0x48/0xb0 > system_call+0x5c/0x68 > > Check if alloc_percpu returns NULL. > > This was found by syzkaller both on x86 and powerpc, and the reproducer > it found on powerpc is capable of hitting the issue as an unprivileged > user. > > Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") > Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com > Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com > Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com > Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com > Signed-off-by: Daniel Axtens <dja@axtens.net> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Reviewed-by: Michael Ellerman <mpe@ellerman.id.au> > Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> > Acked-by: David Rientjes <rientjes@google.com> > Cc: Akash Goel <akash.goel@intel.com> > Cc: Andrew Donnellan <ajd@linux.ibm.com> > Cc: Guenter Roeck <linux@roeck-us.net> > Cc: Salvatore Bonaccorso <carnil@debian.org> > Cc: <stable@vger.kernel.org> [4.10+] > Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 54e200ab40fc14c863bcc80a51e20b7906608fce) > CVE-2019-19642 > Signed-off-by: Benjamin M Romer <benjamin.romer@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > kernel/relay.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/kernel/relay.c b/kernel/relay.c > index ade14fb7ce2e..4b760ec16342 100644 > --- a/kernel/relay.c > +++ b/kernel/relay.c > @@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, > return NULL; > > chan->buf = alloc_percpu(struct rchan_buf *); > + if (!chan->buf) { > + kfree(chan); > + return NULL; > + } > + > chan->version = RELAYFS_CHANNEL_VERSION; > chan->n_subbufs = n_subbufs; > chan->subbuf_size = subbuf_size; >
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
diff --git a/kernel/relay.c b/kernel/relay.c index ade14fb7ce2e..4b760ec16342 100644 --- a/kernel/relay.c +++ b/kernel/relay.c @@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, return NULL; chan->buf = alloc_percpu(struct rchan_buf *); + if (!chan->buf) { + kfree(chan); + return NULL; + } + chan->version = RELAYFS_CHANNEL_VERSION; chan->n_subbufs = n_subbufs; chan->subbuf_size = subbuf_size;