mbox series

[SRU,J:linux-bluefield,v1,0/1] UBUNTU: SAUCE: mlxbf-bootctl: Fix kernel panic due to buffer overflow

Message ID 20230720203737.30469-1-asmaa@nvidia.com
Headers show
Series UBUNTU: SAUCE: mlxbf-bootctl: Fix kernel panic due to buffer overflow | expand

Message

Asmaa Mnebhi July 20, 2023, 8:37 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/2028309

SRU Justification:

[Impact]

Running the following LTP (linux-test-project) script, causes
a kernel panic and a reboot of the DPU:
ltp/testcases/bin/read_all -d /sys -q -r 10

The above test reads all directory and files under /sys.
Reading the sysfs entry "large_icm" causes the kernel panic
due to a garbage value returned via i2c read. That garbage
value causes a buffer overflow in sprintf.

[Fix]

* Replace sprintf with snprintf. And also add missing lock and
increase the buffer size to PAGE_SIZE.

[Test Case]

* Run from linux:
ltp/testcases/bin/read_all -d /sys -q -r 10

[Regression Potential]

* no known regression

Comments

Bartlomiej Zolnierkiewicz July 21, 2023, 3:20 p.m. UTC | #1 
Acked-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz@canonical.com>

On Thu, Jul 20, 2023 at 10:38 PM Asmaa Mnebhi <asmaa@nvidia.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/2028309
>
> SRU Justification:
>
> [Impact]
>
> Running the following LTP (linux-test-project) script, causes
> a kernel panic and a reboot of the DPU:
> ltp/testcases/bin/read_all -d /sys -q -r 10
>
> The above test reads all directory and files under /sys.
> Reading the sysfs entry "large_icm" causes the kernel panic
> due to a garbage value returned via i2c read. That garbage
> value causes a buffer overflow in sprintf.
>
> [Fix]
>
> * Replace sprintf with snprintf. And also add missing lock and
> increase the buffer size to PAGE_SIZE.
>
> [Test Case]
>
> * Run from linux:
> ltp/testcases/bin/read_all -d /sys -q -r 10
>
> [Regression Potential]
>
> * no known regression
>
Tim Gardner July 21, 2023, 3:30 p.m. UTC | #2 
On 7/20/23 2:37 PM, Asmaa Mnebhi wrote:
> BugLink: https://bugs.launchpad.net/bugs/2028309
> 
> SRU Justification:
> 
> [Impact]
> 
> Running the following LTP (linux-test-project) script, causes
> a kernel panic and a reboot of the DPU:
> ltp/testcases/bin/read_all -d /sys -q -r 10
> 
> The above test reads all directory and files under /sys.
> Reading the sysfs entry "large_icm" causes the kernel panic
> due to a garbage value returned via i2c read. That garbage
> value causes a buffer overflow in sprintf.
> 
> [Fix]
> 
> * Replace sprintf with snprintf. And also add missing lock and
> increase the buffer size to PAGE_SIZE.
> 
> [Test Case]
> 
> * Run from linux:
> ltp/testcases/bin/read_all -d /sys -q -r 10
> 
> [Regression Potential]
> 
> * no known regression
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

This really ought to be 2 patches. Protecting the call to 
arm_smccc_smc() has little to do with an snprintf() buffer overflow.
Bartlomiej Zolnierkiewicz July 21, 2023, 3:37 p.m. UTC | #3 
Applied to jammy:linux-bluefield/master-next. Thanks.

--
Best regards,
Bartlomiej

On Thu, Jul 20, 2023 at 10:38 PM Asmaa Mnebhi <asmaa@nvidia.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/2028309
>
> SRU Justification:
>
> [Impact]
>
> Running the following LTP (linux-test-project) script, causes
> a kernel panic and a reboot of the DPU:
> ltp/testcases/bin/read_all -d /sys -q -r 10
>
> The above test reads all directory and files under /sys.
> Reading the sysfs entry "large_icm" causes the kernel panic
> due to a garbage value returned via i2c read. That garbage
> value causes a buffer overflow in sprintf.
>
> [Fix]
>
> * Replace sprintf with snprintf. And also add missing lock and
> increase the buffer size to PAGE_SIZE.
>
> [Test Case]
>
> * Run from linux:
> ltp/testcases/bin/read_all -d /sys -q -r 10
>
> [Regression Potential]
>
> * no known regression
>