From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=zxrt=CX=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CDFE3C43461
	for <linux-mm@archiver.kernel.org>; Mon, 14 Sep 2020 09:44:21 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 3170021D80
	for <linux-mm@archiver.kernel.org>; Mon, 14 Sep 2020 09:44:20 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="HhMdSpnk"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3170021D80
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bytedance.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 326EF6B0055; Mon, 14 Sep 2020 05:44:20 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2B1326B005C; Mon, 14 Sep 2020 05:44:20 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 178CF6B005D; Mon, 14 Sep 2020 05:44:20 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0174.hostedemail.com [216.40.44.174])
	by kanga.kvack.org (Postfix) with ESMTP id F05E76B0055
	for <linux-mm@kvack.org>; Mon, 14 Sep 2020 05:44:19 -0400 (EDT)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id B66C318012CE2
	for <linux-mm@kvack.org>; Mon, 14 Sep 2020 09:44:19 +0000 (UTC)
X-FDA: 77261181438.30.yard40_12121a927107
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin30.hostedemail.com (Postfix) with ESMTP id 8632018163423
	for <linux-mm@kvack.org>; Mon, 14 Sep 2020 09:44:19 +0000 (UTC)
X-HE-Tag: yard40_12121a927107
X-Filterd-Recvd-Size: 4051
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com [209.85.216.66])
	by imf12.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon, 14 Sep 2020 09:44:19 +0000 (UTC)
Received: by mail-pj1-f66.google.com with SMTP id t7so5231139pjd.3
        for <linux-mm@kvack.org>; Mon, 14 Sep 2020 02:44:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=OGDsMtjT75Ugek6NrpYH7erjKE1iSP2qJww8COSquYg=;
        b=HhMdSpnkADQbF2sSvs3sIX8fhooLzGiLBz161wSqKDCUNcYonR4wNaLeWxZnCWXHaY
         rjpxg6mYbaTGCHJstqUMJnjKWERUBNehqsiRQaw6ft+IyndVXaUmEpljumQZINJq7P/u
         Lq6Sgw63X7gxlg2/d5Nrq8YkwmlT1u3NwckogBa9s1PUv5tvzoYfXjmT2BtxsvC1qIeL
         FOKcCh0i9AqESKney8bXcS+c7GdGeu5MiDtDERDa2wPyXcXEexz+P0r4OffDlM7z5cUv
         ZVrwVQrtZc4aRfUUDLyBdHxB9C9N/n4+bwwb2xspLrq8/TE5UJgjCN7NEiu6XSmzXCRR
         h/+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=OGDsMtjT75Ugek6NrpYH7erjKE1iSP2qJww8COSquYg=;
        b=IA1DfxJPSmjgmpCOMj/6A9+pytP4SD0ZbwY5o00FtVgtRPkvQba3wKEQq6latekLws
         /PrqvfA193+zsZ+yb1RlsR0nSD5KmkP/YQWwC6J+hJKznfEgoBlMMYbA3LJzpYvyUs5j
         AhzFhKN0yuYIlKlwJQ3WFG4nKXOVMSQ3Et/1s1jo5GcPK8l8T2S4lMA1iK0oAJJNoWT/
         qcnoNeCk3prcq5Ec7FJ8Y2LhyZO4tVeoESbJ40V5I/BeIgawsIOsNkOB7NH9fBFsz0bP
         bQpyyVEsnkdPrI5N88ORtnd8ltvjCFO9o8k8WhsrJxAMaEvDZqfdSwNY5IzGUBPzOAL3
         37NQ==
X-Gm-Message-State: AOAM531qhrDuHpWHzowVxa5jmxOzM0DUHTTvFGTdsgmFFDKA0qK4mDBK
	dBKQzH6JYhL8v1e8AsCfIFEtntf2+dBSGBfPkMj9Kw==
X-Google-Smtp-Source: ABdhPJz4pmKPQyktsr1gurufUbLpfuebuRWaNUBtQfOPubEyG+vUyruElznQcZJ4OyglwBPwl8Tnqxp0FKWJ0SUREsQ=
X-Received: by 2002:a17:90a:b78b:: with SMTP id m11mr13304541pjr.13.1600076657810;
 Mon, 14 Sep 2020 02:44:17 -0700 (PDT)
MIME-Version: 1.0
References: <20200912155100.25578-1-songmuchun@bytedance.com>
 <20200912174241.eeaa771755915f27babf9322@linux-foundation.org>
 <CAMZfGtXNg31+8QLbUMj7f61Yg1Jgt0rPB7VTDE7qoopGCANGjA@mail.gmail.com> <20200914091844.GE16999@dhcp22.suse.cz>
In-Reply-To: <20200914091844.GE16999@dhcp22.suse.cz>
From: Muchun Song <songmuchun@bytedance.com>
Date: Mon, 14 Sep 2020 17:43:42 +0800
Message-ID: <CAMZfGtXd3DNrW5BPjDosHsz-FUYACGZEOAfAYLwyHdRSpOsqhQ@mail.gmail.com>
Subject: Re: [External] Re: [PATCH] mm: memcontrol: Fix out-of-bounds on the
 buf returned by memory_stat_format
To: Michal Hocko <mhocko@suse.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Johannes Weiner <hannes@cmpxchg.org>, 
	Vladimir Davydov <vdavydov.dev@gmail.com>, Cgroups <cgroups@vger.kernel.org>, 
	Linux Memory Management List <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 8632018163423
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam05
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Sep 14, 2020 at 5:18 PM Michal Hocko <mhocko@suse.com> wrote:
>
> On Mon 14-09-20 12:02:33, Muchun Song wrote:
> > On Sun, Sep 13, 2020 at 8:42 AM Andrew Morton <akpm@linux-foundation.org> wrote:
> > >
> > > On Sat, 12 Sep 2020 23:51:00 +0800 Muchun Song <songmuchun@bytedance.com> wrote:
> > >
> > > > The memory_stat_format() returns a format string, but the return buf
> > > > may not including the trailing '\0'. So the users may read the buf
> > > > out of bounds.
> > >
> > > That sounds serious.  Is a cc:stable appropriate?
> > >
> >
> > Yeah, I think we should cc:stable.
>
> Is this a real problem? The buffer should contain 36 lines which makes
> it more than 100B per line. I strongly suspect we are not able to use
> that storage up.

Before memory_stat_format() return, we should call seq_buf_putc(&s, '\0').
Otherwise, the return buf string has no trailing null('\0'). But users treat buf
as a string(and read the string oob). It is wrong. Thanks.

> --
> Michal Hocko
> SUSE Labs



-- 
Yours,
Muchun