Bug#701805: add_uevent_var: buffer size too small

To: Lars Hanke <debian@lhanke.de>, 701805@bugs.debian.org
Subject: Bug#701805: add_uevent_var: buffer size too small
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 27 Feb 2013 14:11:24 +0000
Message-id: <[🔎] 1361974284.3768.74.camel@deadeye.wl.decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 701805@bugs.debian.org
In-reply-to: <[🔎] 20130227114603.10914.34131.reportbug@asgard.mgr>
References: <[🔎] 20130227114603.10914.34131.reportbug@asgard.mgr>

Control: tag -1 moreinfo

On Wed, 2013-02-27 at 12:46 +0100, Lars Hanke wrote:
> Package: linux-2.6
> Version: 2.6.32-48squeeze1
> Severity: normal
> 
> 
> I'm not sure what actually caused the issue. I did disconnect my
> WD-Book (sdd) from the USB. I re-attached it after the error using
> eSATA. This is what you see in the kernel log. However, the kernel
> source points to a buffer overflow, which already happened, when this
> message is generated. So it might be a critical security issue.

The add_uevent_var() function uses vsnprintf() which limits the
formatted string length.  There is no buffer overflow.

[...]
> [ 1999.656073] usb 3-7: USB disconnect, address 5
> [ 1999.681146] ------------[ cut here ]------------
> [ 1999.681153] WARNING: at /build/buildd-linux-2.6_2.6.32-48squeeze1-amd64-qu4MIV/linux-2.6-2.6.32/debian/build/source_amd64_openvz/lib/kobject_uevent.c:313 add_uevent_var+0xaf/0xf0()
> [ 1999.681158] Hardware name: MS-7395
> [ 1999.681160] add_uevent_var: buffer size too small
> [ 1999.681171] Modules linked in: ses enclosure usbhid usb_storage hid ebtable_nat ebtables vzethdev vznetdev simfs vzrst vzcpt vzdquota vzmon vzdev ip6t_REJECT ip6table_mangle ip6table_filter ip6_tables xt_length xt_hl xt_limit xt_dscp ipt_REJECT acpi_cpufreq cpufreq_conservative cpufreq_stats cpufreq_powersave cpufreq_userspace capi capifs vzevent kvm_intel kvm fuse pppoe pppox ppp_generic slhc ipt_MASQUERADE iptable_nat nf_nat ipt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 xt_state xt_multiport iptable_filter xt_TCPMSS xt_tcpmss xt_tcpudp iptable_mangle ip_tables x_tables bridge stp xfs exportfs ext2 dm_crypt coretemp f71882fg nf_conntrack_ftp nf_conntrack loop snd_hda_codec_atihdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq b1pci b1dma b1 snd_timer kernelcapi snd_seq_device snd shpchp radeon ttm drm_kms_helper i2c_i801 pci_hotplug drm soundcore i2c_algo_bit parport_pc snd_page_alloc pcspkr usblp psmouse i2c_core parport evdev serio_raw processor
>   button ext3 jbd mbcache dm_mod raid456 md_mod async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx sg sr_mod cdrom sd_mod crc_t10dif ata_generic ahci pata_jmicron r8169 ata_piix aic7xxx uhci_hcd thermal sundance libata mii ehci_hcd scsi_transport_spi scsi_mod thermal_sys usbcore nls_base [last unloaded: scsi_wait_scan]
> [ 1999.681281] Pid: 264, comm: khubd Tainted: G        W  2.6.32-5-openvz-amd64 #1
> [ 1999.681283] Call Trace:
> [ 1999.681288]  [<ffffffff8117cc2b>] ? add_uevent_var+0xaf/0xf0
> [ 1999.681292]  [<ffffffff8117cc2b>] ? add_uevent_var+0xaf/0xf0
> [ 1999.681296]  [<ffffffff8104e0e4>] ? warn_slowpath_common+0x77/0xa3
> [ 1999.681300]  [<ffffffff8104e16c>] ? warn_slowpath_fmt+0x51/0x59
> [ 1999.681304]  [<ffffffff8118224e>] ? vsnprintf+0x40a/0x449
> [ 1999.681308]  [<ffffffff8117cc2b>] ? add_uevent_var+0xaf/0xf0
> [ 1999.681313]  [<ffffffff8121c116>] ? input_dev_uevent+0x267/0x29f
> [ 1999.681318]  [<ffffffff8120c102>] ? dev_uevent+0x13f/0x146
> [ 1999.681322]  [<ffffffff8117ce96>] ? kobject_uevent_env+0x22a/0x3e6
> [ 1999.681326]  [<ffffffff81210d90>] ? release_nodes+0x152/0x18b
> [ 1999.681330]  [<ffffffff8120c6a1>] ? device_del+0x15a/0x198
> [ 1999.681334]  [<ffffffff8120c6e8>] ? device_unregister+0x9/0x12
> [ 1999.681340]  [<ffffffffa0641518>] ? hidinput_disconnect+0x49/0x62 [hid]
> [ 1999.681344]  [<ffffffffa063ff3a>] ? hid_disconnect+0x12/0x38 [hid]
> [ 1999.681349]  [<ffffffffa063ff8c>] ? hid_device_remove+0x2c/0x48 [hid]
> [ 1999.681353]  [<ffffffff8120e6fc>] ? __device_release_driver+0x96/0xeb
> [ 1999.681357]  [<ffffffff8120e809>] ? device_release_driver+0x1e/0x2a
> [ 1999.681361]  [<ffffffff8120de05>] ? bus_remove_device+0x8d/0xac
> [ 1999.681365]  [<ffffffff8120c677>] ? device_del+0x130/0x198
> [ 1999.681369]  [<ffffffffa063facb>] ? hid_destroy_device+0x19/0x35 [hid]
> [ 1999.681374]  [<ffffffffa066c899>] ? usbhid_disconnect+0x30/0x39 [usbhid]
> [ 1999.681386]  [<ffffffffa00117e5>] ? usb_unbind_interface+0x5b/0xe3 [usbcore]
[...]

This is all about a HID (human input device) being removed.  Is there a
button on the WD-Book that is meant to start a backup, or something like
that?

Ben.

-- 
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by stupidity.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#701805: add_uevent_var: buffer size too small
  - From: Lars Hanke <debian@lhanke.de>

Prev by Date: Processed: Re: Bug#701805: add_uevent_var: buffer size too small
Next by Date: Bug#701690: nvidia: disagrees about version of symbol efi_enabled
Previous by thread: Processed: Re: Bug#701805: add_uevent_var: buffer size too small
Next by thread: Bug#699311: [wheezy] oops when unplugged USB audio headset
Index(es):
- Date
- Thread