This is a note to let you know that I've just added the patch titled
platform/x86: wmi: fix off-by-one write in wmi_dev_probe()
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 6e1d8ea90932f77843730ada0bfea63093b7212a Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Date: Wed, 14 Feb 2018 14:55:24 +0300
Subject: platform/x86: wmi: fix off-by-one write in wmi_dev_probe()
From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
commit 6e1d8ea90932f77843730ada0bfea63093b7212a upstream.
wmi_dev_probe() allocates one byte less than necessary, thus
subsequent sprintf() call writes trailing zero past the end
of the 'buf':
BUG: KASAN: slab-out-of-bounds in vsnprintf+0xda4/0x1240
Write of size 1 at addr ffff880423529caf by task kworker/1:1/32
Call Trace:
dump_stack+0xb3/0x14d
print_address_description+0xd7/0x380
kasan_report+0x166/0x2b0
vsnprintf+0xda4/0x1240
sprintf+0x9b/0xd0
wmi_dev_probe+0x1c3/0x400
driver_probe_device+0x5d1/0x990
bus_for_each_drv+0x109/0x190
__device_attach+0x217/0x360
bus_probe_device+0x1ad/0x260
deferred_probe_work_func+0x10f/0x5d0
process_one_work+0xa8b/0x1dc0
worker_thread+0x20d/0x17d0
kthread+0x311/0x3d0
ret_from_fork+0x3a/0x50
Allocated by task 32:
kasan_kmalloc+0xa0/0xd0
__kmalloc+0x14f/0x3e0
wmi_dev_probe+0x182/0x400
driver_probe_device+0x5d1/0x990
bus_for_each_drv+0x109/0x190
__device_attach+0x217/0x360
bus_probe_device+0x1ad/0x260
deferred_probe_work_func+0x10f/0x5d0
process_one_work+0xa8b/0x1dc0
worker_thread+0x20d/0x17d0
kthread+0x311/0x3d0
ret_from_fork+0x3a/0x50
Increment allocation size to fix this.
Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers")
Signed-off-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/platform/x86/wmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -933,7 +933,7 @@ static int wmi_dev_probe(struct device *
goto probe_failure;
}
- buf = kmalloc(strlen(wdriver->driver.name) + 4, GFP_KERNEL);
+ buf = kmalloc(strlen(wdriver->driver.name) + 5, GFP_KERNEL);
if (!buf) {
ret = -ENOMEM;
goto probe_string_failure;
Patches currently in stable-queue which might be from aryabinin@xxxxxxxxxxxxx are
queue-4.15/platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch