From: Kees Cook keescook@chromium.org Date: Thu, 2 Mar 2023 14:49:50 -0800
Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination and source buffers. Defining kernel_headers_data as "char" would trip this check. Since these addresses are treated as byte arrays, define them as arrays (as done everywhere else).
Yet another array-as-one-char, I wonder how many are still here...
This was seen with:
$ cat /sys/kernel/kheaders.tar.xz >> /dev/null
detected buffer overflow in memcpy kernel BUG at lib/string_helpers.c:1027! ... RIP: 0010:fortify_panic+0xf/0x20 [...] Call Trace:
<TASK> ikheaders_read+0x45/0x50 [kheaders] kernfs_fop_read_iter+0x1a4/0x2f0 ...
Reported-by: Jakub Kicinski kuba@kernel.org Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/ Tested-by: Jakub Kicinski kuba@kernel.org Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier") Cc: Joel Fernandes (Google) joel@joelfernandes.org Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org
Reviewed-by: Alexander Lobakin aleksander.lobakin@intel.com
kernel/kheaders.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
[...]
Thanks, Olek