From patchwork Mon Jul 29 23:28:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Ruffell X-Patchwork-Id: 1966244 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WXvjV5S9vz1yZD for ; Tue, 30 Jul 2024 09:30:22 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sYZol-0007kO-2P; Mon, 29 Jul 2024 23:30:15 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sYZoj-0007jp-JL for kernel-team@lists.ubuntu.com; Mon, 29 Jul 2024 23:30:13 +0000 Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 458953F187 for ; Mon, 29 Jul 2024 23:30:13 +0000 (UTC) Received: by mail-pf1-f200.google.com with SMTP id d2e1a72fcca58-70d34fa1726so4331183b3a.1 for ; Mon, 29 Jul 2024 16:30:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722295812; x=1722900612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FcQ8uCU7R6CBppNTgR+2cHVqQgTeUug1ZqbdZ9GtOvU=; b=VCK0jiemWDe9qHyro73O3NVKK1Pk7jFUwQvJZ5vW6LRw4EVfY1VDt5zUV5AO9pOXhQ BZ24RGPkTR8FuPB1pUSlTgb+jVXBf3R9QTDE3Ty15ZrV6A3avlGa0MChKc0FNsIkt6zg lLxdKHUlLHXcYlgrpACzbDBOehP4cqlGO8wCpdcOvRbbviPw/0c0/wZwnZc4nxTdai/s 1pp9nuzpeTTDUF+iApNu0Diel7DI1cEPgurSxrGsicOroxVo2PgzBjA28Amo/0pdiiqD 2eCFigdkIiJKnI427CRBrn9OMZDTQlzQbzvWN0WJPuJ/r0mliiGeihFfcBCgcBsNuN1Q acIA== X-Gm-Message-State: AOJu0YzB5EhvQ4a+nHuiK4GAR0gBpBCYjpFd0QFs5JC5V7rKpZF3Juvg i4brRkORm/k2E5jrs30iJCjRaXEfE8QbpBI8Xq+bZn3JG/Y6na0jho50X59rnjiMISTjq7AuwgW BhrqP+ru9tZ57JoW3nSQMpBd4XV4c5fZvG87inWF/s0rzYgjUmf8j8g5G+0mG5wnPofjjkmuwI4 FpZo2IgeMZDw== X-Received: by 2002:a05:6a00:3cd1:b0:70d:15b9:3ece with SMTP id d2e1a72fcca58-70ecedbdcc7mr11904882b3a.29.1722295811689; Mon, 29 Jul 2024 16:30:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEtp+k92vxXnMROhiVjEg0+Nho7SwyKaSpu++JGQDstE+xyaMglW+ylZyaZrDlxKj3NXySK+g== X-Received: by 2002:a05:6a00:3cd1:b0:70d:15b9:3ece with SMTP id d2e1a72fcca58-70ecedbdcc7mr11904842b3a.29.1722295811194; Mon, 29 Jul 2024 16:30:11 -0700 (PDT) Received: from localhost.localdomain (125-239-191-70-fibre.sparkbb.co.nz. [125.239.191.70]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70ead712ea7sm7324099b3a.77.2024.07.29.16.30.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jul 2024 16:30:10 -0700 (PDT) From: Matthew Ruffell To: kernel-team@lists.ubuntu.com, tj.iam.tj@proton.me Subject: [SRU][Noble][PATCH 1/1] UBUNTU: SAUCE: arm64: v6.8: cmdline param >= 146 chars kills kernel Date: Tue, 30 Jul 2024 11:28:38 +1200 Message-ID: <20240729232944.10019-2-matthew.ruffell@canonical.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240729232944.10019-1-matthew.ruffell@canonical.com> References: <20240729232944.10019-1-matthew.ruffell@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Tj BugLink: https://bugs.launchpad.net/bugs/2069534 This is v6.8 specific; v6.9 is reported as not affected (due to extensive code refactoring). Commit dc3f5aae0638 reworked how early cmdline CPU feature parsing is done, and converted to using memcmp() in preparation for the move to the pi minimal C standard library. As a result it caused a regression where-by a parameter >= 146 characters on the kernel command line would cause a silent panic with no console clues as to why. It is due to memcmp() in include/linux/fortify-string.h detecting an attempted out-of-bounds read. The cause itself is subtle. arch/arm64/kernel/idreg-override.c::__parse_cmdline() compares the struct aliases entries with each parameter via memcmp(). ... static const struct { char alias[FTR_ALIAS_NAME_LEN]; char feature[FTR_ALIAS_OPTION_LEN]; } aliases[] Each element is 146 characters. When a parameter is also 146 characters the call looks like memcmp(buf, aliases[i].alias, len+1) where len is the equivalent of strlen(buf) and +1 to compare including the trailing NUL. That triggers the fortified memcmp()'s: if (p_size < size || q_size < size) fortify_panic(__func__); where q_size == 146, size == 147 The solution here is to not call memcmp() at all unless the two strings have the same length. Initially reported in Ubuntu (and confirmed to affect Debian and Mainline): https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2069534 Fixes: dc3f5aae0638 ("arm64: idreg-override: Avoid parameq() and parameqn()") Signed-off-by: Tj Signed-off-by: Matthew Ruffell --- arch/arm64/kernel/idreg-override.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c index e30fd9e32ef3..9d2c120f378a 100644 --- a/arch/arm64/kernel/idreg-override.c +++ b/arch/arm64/kernel/idreg-override.c @@ -308,7 +308,8 @@ static __init void __parse_cmdline(const char *cmdline, bool parse_aliases) match_options(buf); for (i = 0; parse_aliases && i < ARRAY_SIZE(aliases); i++) - if (!memcmp(buf, aliases[i].alias, len + 1)) + if (len == strlen(aliases[i].alias) && + !memcmp(buf, aliases[i].alias, len + 1)) __parse_cmdline(aliases[i].feature, false); } while (1); }