Commit d08b6a56 authored Oct 23, 2024 by Sergey Shtylyov Committed by Chen Jun Oct 23, 2024

of: module: prevent NULL pointer dereference in vsnprintf()

mainline inclusion
from mainline-v6.9-rc3
commit a1aa5390cc912934fee76ce80af5f940452fa987
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8R
CVE: CVE-2024-35878

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a1aa5390cc912934fee76ce80af5f940452fa987



--------------------------------

In of_modalias(), we can get passed the str and len parameters which would
cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr
when the length is also 0. Also, we need to filter out the negative values
of the len parameter as these will result in a really huge buffer since
snprintf() takes size_t parameter while ours is ssize_t...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@omp.ru


Signed-off-by: Rob Herring <robh@kernel.org>

Conflicts:
	drivers/of/device.c
	drivers/of/module.c
[chenjun: context conflicts. of_modalias() is not extracted from
of_device_get_modalias().]
Signed-off-by: Chen Jun <chenjun102@huawei.com>

parent c93f7899

drivers/of/device.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -226,6 +226,14 @@ static ssize_t of_device_get_modalias(struct device dev, char str, ssize_t len
		if ((!dev) \|\| (!dev->of_node))
		return -ENODEV;

		/*
		* Prevent a kernel oops in vsnprintf() -- it only allows passing a
		* NULL ptr when the length is also 0. Also filter out the negative
		* lengths...
		*/
		if ((len > 0 && !str) \|\| len < 0)
		return -EINVAL;

		/* Name & Type */
		/* %p eats all alphanum characters, so %c must be used here */
		csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T',