On Sat, Aug 24, 2024 at 08:05:08PM +0200, Thomas Weißschuh wrote:
Hi Joel,
On 2024-08-05 11:39:35+0000, Thomas Weißschuh wrote:
The test if a table is a permanently empty one, inspects the address of the registered ctl_table argument. However as sysctl_mount_point is an empty array and does not occupy and space it can end up sharing an address with another object in memory. If that other object itself is a "struct ctl_table" then registering that table will fail as it's incorrectly recognized as permanently empty.
Avoid this issue by adding a dummy element to the array so that is not empty anymore. Explicitly register the table with zero elements as otherwise the dummy element would be recognized as a sentinel element which would lead to a runtime warning from the sysctl core.
While the issue seems not being encountered at this time, this seems mostly to be due to luck. Also a future change, constifying sysctl_mount_point and root_table, can reliably trigger this issue on clang 18.
Given that empty arrays are non-standard in the first place it seems prudent to avoid them if possible.
Fixes: 4a7b29f65094 ("sysctl: move sysctl type to ctl_table_header") Fixes: a35dd3a786f5 ("sysctl: drop now unnecessary out-of-bounds check") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh linux@weissschuh.net
Any updates on this? I fear it can theoretically also happen on v6.11.
This is already in next and will probably make it for v6.11. The "fixed" tag will make is so it is ported to 6.10.
Best