• Daniel Axtens's avatar
    powerpc/pseries/hvconsole: Fix stack overread via udbg · 934bda59
    Daniel Axtens authored
    While developing KASAN for 64-bit book3s, I hit the following stack
    over-read.
    
    It occurs because the hypercall to put characters onto the terminal
    takes 2 longs (128 bits/16 bytes) of characters at a time, and so
    hvc_put_chars() would unconditionally copy 16 bytes from the argument
    buffer, regardless of supplied length. However, udbg_hvc_putc() can
    call hvc_put_chars() with a single-byte buffer, leading to the error.
    
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in hvc_put_chars+0xdc/0x110
      Read of size 8 at addr c0000000023e7a90 by task swapper/0
    
      CPU: 0 PID: 0 Comm: swapper Not tainted 5.2.0-rc2-next-20190528-02824-g048a6ab4835b #113
      Call Trace:
        dump_stack+0x104/0x154 (unreliable)
        print_address_description+0xa0/0x30c
        __kasan_report+0x20c/0x224
        kasan_report+0x18/0x30
        __asan_report_load8_noabort+0x24/0x40
        hvc_put_chars+0xdc/0x110
        hvterm_raw_put_chars+0x9c/0x110
        udbg_hvc_putc+0x154/0x200
        udbg_write+0xf0/0x240
        console_unlock+0x868/0xd30
        register_console+0x970/0xe90
        register_early_udbg_console+0xf8/0x114
        setup_arch+0x108/0x790
        start_kernel+0x104/0x784
        start_here_common+0x1c/0x534
    
      Memory state around the buggy address:
       c0000000023e7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       c0000000023e7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
      >c0000000023e7a80: f1 f1 01 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
                               ^
       c0000000023e7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       c0000000023e7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ==================================================================
    
    Document that a 16-byte buffer is requred, and provide it in udbg.
    Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    934bda59
hvconsole.c 2.54 KB