CVE-2022-50778

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL<br /> <br /> With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe<br /> a runtime panic while running Android&amp;#39;s Compatibility Test Suite&amp;#39;s (CTS)<br /> android.hardware.input.cts.tests. This is stemming from a strlen()<br /> call in hidinput_allocate().<br /> <br /> __compiletime_strlen() is implemented in terms of __builtin_object_size(),<br /> then does an array access to check for NUL-termination. A quirk of<br /> __builtin_object_size() is that for strings whose values are runtime<br /> dependent, __builtin_object_size(str, 1 or 0) returns the maximum size<br /> of possible values when those sizes are determinable at compile time.<br /> Example:<br /> <br /> static const char *v = "FOO BAR";<br /> static const char *y = "FOO BA";<br /> unsigned long x (int z) {<br /> // Returns 8, which is:<br /> // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))<br /> return __builtin_object_size(z ? v : y, 1);<br /> }<br /> <br /> So when FORTIFY_SOURCE is enabled, the current implementation of<br /> __compiletime_strlen() will try to access beyond the end of y at runtime<br /> using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.<br /> <br /> hidinput_allocate() has a local C string whose value is control flow<br /> dependent on a switch statement, so __builtin_object_size(str, 1)<br /> evaluates to the maximum string length, making all other cases fault on<br /> the last character check. hidinput_allocate() could be cleaned up to<br /> avoid runtime calls to strlen() since the local variable can only have<br /> literal values, so there&amp;#39;s no benefit to trying to fortify the strlen<br /> call site there.<br /> <br /> Perform a __builtin_constant_p() check against index 0 earlier in the<br /> macro to filter out the control-flow-dependant case. Add a KUnit test<br /> for checking the expected behavioral characteristics of FORTIFY_SOURCE<br /> internals.