R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6cc8bd7dd3
android_kernel_xiaomi_sm7250/include/trace/events
History
David Collins ac730c72bd spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 
commit 2af28b241eea816e6f7668d1954f15894b45d7e3 upstream.

trace_spmi_write_begin() and trace_spmi_read_end() both call
memcpy() with a length of "len + 1".  This leads to one extra
byte being read beyond the end of the specified buffer.  Fix
this out-of-bound memory access by using a length of "len"
instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
...
Call trace:
 dump_backtrace+0x0/0x3e8
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xdc/0x11c
 print_address_description+0x74/0x384
 kasan_report+0x188/0x268
 kasan_check_range+0x270/0x2b0
 memcpy+0x90/0xe8
 trace_event_raw_event_spmi_read_end+0x1d0/0x234
 spmi_read_cmd+0x294/0x3ac
 spmi_ext_register_readl+0x84/0x9c
 regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
 _regmap_raw_read+0x40c/0x754
 regmap_raw_read+0x3a0/0x514
 regmap_bulk_read+0x418/0x494
 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
 ...
 __arm64_sys_read+0x4c/0x60
 invoke_syscall+0x80/0x218
 el0_svc_common+0xec/0x1c8
 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
 adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]

this frame has 1 object:
 [32, 33) 'status'

Memory state around the buggy address:
 ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
                                           ^
 ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
==================================================================

Fixes: a9fce37481 ("spmi: add command tracepoints for SPMI")
Cc: stable@vger.kernel.org
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: David Collins <quic_collinsd@quicinc.com>
Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-25 11:15:28 +02:00
..
9p.h
afs.h afs: Fix some tracing details 2020-04-02 15:28:19 +02:00
alarmtimer.h
asoc.h
bcache.h
block.h
bridge.h
btrfs.h btrfs: tracepoints: Fix bad entry members of qgroup events 2019-10-29 09:20:07 +01:00
cachefiles.h
cgroup.h
clk.h
cma.h
compaction.h
context_tracking.h
cpuhp.h
devlink.h
dma_fence.h
ext4.h ext4: force inode writes when nfsd calls commit_metadata() 2019-01-09 17:38:43 +01:00
f2fs.h f2fs: fix up f2fs_lookup tracepoints 2021-11-26 11:36:21 +01:00
fib6.h
fib.h net: Change the layout of structure trace_event_raw_fib_table_lookup 2018-08-13 09:21:05 -07:00
filelock.h locks: add tracepoint in flock codepath 2018-08-06 13:15:16 -04:00
filemap.h
fs_dax.h
fscache.h
fsi_master_ast_cf.h
fsi_master_gpio.h
fsi.h
gpio.h
host1x.h
hswadsp.h
huge_memory.h
i2c.h
initcall.h
intel_ish.h
intel-sst.h
iommu.h
ipi.h
irq_matrix.h
irq.h
jbd2.h
kmem.h
kvm.h
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-07-02 16:27:30 +02:00
lock.h
mce.h
mdio.h
migrate.h mm, sched/numa: Remove rate-limiting of automatic NUMA balancing migration 2018-10-02 11:31:14 +02:00
mmc.h
mmflags.h
module.h
napi.h
net_probe_common.h
net.h
nilfs2.h
nmi.h
oom.h
page_isolation.h
page_ref.h
pagemap.h
percpu.h
power_cpu_migrate.h
power.h
preemptirq.h tracing: Change offset type to s32 in preempt/irq tracepoints 2020-01-14 20:07:00 +01:00
printk.h
qdisc.h
rcu.h
rdma.h
regulator.h
rpcrdma.h svcrdma: Fix trace point use-after-free race 2020-05-02 17:25:51 +02:00
rpm.h
rseq.h
rtc.h
rxrpc.h rxrpc: Fix trace string 2020-07-22 09:32:13 +02:00
sched.h sched/debug: Use symbolic names for task state constants 2019-11-20 18:46:14 +01:00
scsi.h
sctp.h sctp: move trace_sctp_probe_path into sctp_outq_sack 2020-10-01 13:14:30 +02:00
signal.h
siox.h
skb.h
smbus.h
sock.h net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer 2022-07-21 21:09:26 +02:00
spi.h
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-08-25 11:15:28 +02:00
sunrpc.h sunrpc: use-after-free in svc_process_common() 2019-01-16 22:04:37 +01:00
sunvnet.h
swiotlb.h
syscalls.h
target.h scsi: target: core: Add CONTROL field for trace events 2020-10-30 10:38:29 +01:00
task.h
tcp.h
thermal_power_allocator.h
thermal.h
thp.h
timer.h
tlb.h
udp.h
ufs.h
v4l2.h
vb2.h
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-06-14 16:59:18 +02:00
vsock_virtio_transport_common.h
wbt.h bdi: use bdi_dev_name() to get device name 2021-08-08 08:54:29 +02:00
workqueue.h
writeback.h memcg: fix a crash in wb_workfn when a device disappears 2021-02-13 13:51:15 +01:00
xdp.h bpf: fix redirect to map under tail calls 2018-08-17 15:56:23 -07:00
xen.h tracing: xen: Ordered comparison of function pointers 2020-01-29 16:43:21 +01:00