# git rev-parse -q --verify 348c71344111d7a48892e3e52264ff11956fc196^{commit} 348c71344111d7a48892e3e52264ff11956fc196 already have revision, skipping fetch # git checkout -q -f -B kisskb 348c71344111d7a48892e3e52264ff11956fc196 # git clean -qxdf # < git log -1 # commit 348c71344111d7a48892e3e52264ff11956fc196 # Author: Kajol Jain # Date: Thu May 5 21:04:51 2022 +0530 # # powerpc/papr_scm: Fix buffer overflow issue with CONFIG_FORTIFY_SOURCE # # With CONFIG_FORTIFY_SOURCE enabled, string functions will also perform # dynamic checks for string size which can panic the kernel, like incase # of overflow detection. # # In papr_scm, papr_scm_pmu_check_events function uses stat->stat_id with # string operations, to populate the nvdimm_events_map array. Since # stat_id variable is not NULL terminated, the kernel panics with # CONFIG_FORTIFY_SOURCE enabled at boot time. # # Below are the logs of kernel panic: # # detected buffer overflow in __fortify_strlen # ------------[ cut here ]------------ # kernel BUG at lib/string_helpers.c:980! # Oops: Exception in kernel mode, sig: 5 [#1] # NIP [c00000000077dad0] fortify_panic+0x28/0x38 # LR [c00000000077dacc] fortify_panic+0x24/0x38 # Call Trace: # [c0000022d77836e0] [c00000000077dacc] fortify_panic+0x24/0x38 (unreliable) # [c00800000deb2660] papr_scm_pmu_check_events.constprop.0+0x118/0x220 [papr_scm] # [c00800000deb2cb0] papr_scm_probe+0x288/0x62c [papr_scm] # [c0000000009b46a8] platform_probe+0x98/0x150 # # Fix this issue by using kmemdup_nul() to copy the content of # stat->stat_id directly to the nvdimm_events_map array. # # mpe: stat->stat_id comes from the hypervisor, not userspace, so there is # no security exposure. # # Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support") # Signed-off-by: Kajol Jain # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20220505153451.35503-1-kjain@linux.ibm.com # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 348c71344111d7a48892e3e52264ff11956fc196 # < make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- skiroot_defconfig # < make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- help # make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- olddefconfig # make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_skiroot_defconfig_powerpc-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- In file included from /kisskb/src/include/linux/byteorder/little_endian.h:5, from /kisskb/src/arch/powerpc/include/uapi/asm/byteorder.h:12, from /kisskb/src/include/asm-generic/bitops/le.h:6, from /kisskb/src/arch/powerpc/include/asm/bitops.h:336, from /kisskb/src/include/linux/bitops.h:33, from /kisskb/src/include/linux/kernel.h:22, from /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:46: /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c: In function '_base_make_ioc_operational': /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5396:40: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5396 | (le16_to_cpu(sas_iounit_pg1->SASWideMaxQueueDepth)) ? /kisskb/src/include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5396:14: note: in expansion of macro 'le16_to_cpu' 5396 | (le16_to_cpu(sas_iounit_pg1->SASWideMaxQueueDepth)) ? | ^~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from /kisskb/src/include/linux/byteorder/little_endian.h:5, from /kisskb/src/arch/powerpc/include/uapi/asm/byteorder.h:12, from /kisskb/src/include/asm-generic/bitops/le.h:6, from /kisskb/src/arch/powerpc/include/asm/bitops.h:336, from /kisskb/src/include/linux/bitops.h:33, from /kisskb/src/include/linux/kernel.h:22, from /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:46: /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5400:40: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5400 | (le16_to_cpu(sas_iounit_pg1->SASNarrowMaxQueueDepth)) ? /kisskb/src/include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5400:14: note: in expansion of macro 'le16_to_cpu' 5400 | (le16_to_cpu(sas_iounit_pg1->SASNarrowMaxQueueDepth)) ? | ^~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5403:43: warning: array subscript 'Mpi2SasIOUnitPage1_t {aka struct _MPI2_CONFIG_PAGE_SASIOUNIT_1}[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds] 5403 | ioc->max_sata_qd = (sas_iounit_pg1->SATAMaxQDepth) ? | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ /kisskb/src/drivers/scsi/mpt3sas/mpt3sas_base.c:5382:26: note: referencing an object of size 20 allocated by 'kzalloc' 5382 | sas_iounit_pg1 = kzalloc(sz, GFP_KERNEL); | ^~~~~~~~~~~~~~~~~~~~~~~ Completed OK # rm -rf /kisskb/build/powerpc-fixes_skiroot_defconfig_powerpc-gcc11 # Build took: 0:02:58.339001