[Bug 2069534] Re: linux 6.8 fails to boot on arm64 if any param is more than 140 chars

Fri, 26 Jul 2024 06:11:58 -0700 

My hunch about the length of struct aliases was correct; when a
parameter that is longer than the *entire* aliases struct element (146
characters) is compared the call to memcmp() is redirected to
"include/linux/fortify-string.h" [0] where checks are done to ensure
there are no out-of-bounds reads.

Because the 'buf' parameter is 146 characters long the call looks like:

memcmp("param146=...", aliases[i].alias, len + 1)

where 'len' is 146 and so 147 gets passed in. That triggers:

        if (p_size < size || q_size < size)
                fortify_panic(__func__);

because 'size' (from 'len + 1') is 147 and q_size is 146 ( size_t q_size
= __struct_size(q) )

('p' is `buf`, 'q' is 'aliases[i].alias' )

So, with a guard case to avoid calling memcmp() at all unless the
lengths match it works. I'll send the patch to the v6.8 stable tree
upstream.

$ qemu-system-aarch64 -machine virt,gic-version=3 -cpu max,pauth-impdef=on -smp 
2 -m 4096 -nographic -kernel 
/srv/NAS/Sunny/SourceCode/builds/linux-aarch64/arch/arm64/boot/Image -append 
"debug 
param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoot
haeph9xai7kier3aib7aejaengahghan2zojeebai3kad9meesh6eichaey2"
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x000f0510]
[    0.000000] Linux version 6.8.12 ([email protected]) (aarch64-linux-gnu-gcc 
(Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #10 SMP Fri
Jul 26 13:57:53 BST 2024
[    0.000000] random: crng init done
[    0.000000] Machine model: linux,dummy-virt
...
[    0.000000] Kernel command line: debug 
param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoothaeph9xai7kier3aib7aejae
ngahghan2zojeebai3kad9meesh6eichaey2
[    0.000000] Unknown kernel command line parameters 
"param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoothaeph9xai7k
ier3aib7aejaengahghan2zojeebai3kad9meesh6eichaey2", will be passed to user 
space.


[0] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/fortify-string.h?h=v6.8#n659

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2069534

Title:
  linux 6.8 fails to boot on arm64 if any param is more than 140 chars

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2069534/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to