Patch "of: module: prevent NULL pointer dereference in vsnprintf()" has been added to the 6.6-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 08 Apr 2024 11:24:22 +0200

This is a note to let you know that I've just added the patch titled

    of: module: prevent NULL pointer dereference in vsnprintf()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     of-module-prevent-null-pointer-dereference-in-vsnprintf.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From a1aa5390cc912934fee76ce80af5f940452fa987 Mon Sep 17 00:00:00 2001
From: Sergey Shtylyov <s.shtylyov@xxxxxx>
Date: Wed, 27 Mar 2024 19:52:49 +0300
Subject: of: module: prevent NULL pointer dereference in vsnprintf()

From: Sergey Shtylyov <s.shtylyov@xxxxxx>

commit a1aa5390cc912934fee76ce80af5f940452fa987 upstream.

In of_modalias(), we can get passed the str and len parameters which would
cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr
when the length is also 0. Also, we need to filter out the negative values
of the len parameter as these will result in a really huge buffer since
snprintf() takes size_t parameter while ours is ssize_t...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@xxxxxx
Signed-off-by: Rob Herring <robh@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/of/module.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/of/module.c
+++ b/drivers/of/module.c
@@ -16,6 +16,14 @@ ssize_t of_modalias(const struct device_
 	ssize_t csize;
 	ssize_t tsize;
 
+	/*
+	 * Prevent a kernel oops in vsnprintf() -- it only allows passing a
+	 * NULL ptr when the length is also 0. Also filter out the negative
+	 * lengths...
+	 */
+	if ((len > 0 && !str) || len < 0)
+		return -EINVAL;
+
 	/* Name & Type */
 	/* %p eats all alphanum characters, so %c must be used here */
 	csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T',


Patches currently in stable-queue which might be from s.shtylyov@xxxxxx are

queue-6.6/of-module-prevent-null-pointer-dereference-in-vsnprintf.patch
queue-6.6/net-ravb-always-update-error-counters.patch
queue-6.6/net-ravb-let-ip-specific-receive-function-to-interro.patch
queue-6.6/net-ravb-always-process-tx-descriptor-ring.patch







