Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f22e39f7 authored by Jiten Patel's avatar Jiten Patel Committed by Gerrit - the friendly Code Review server
Browse files

msm: ice: Fix stack-out-of-bound erros on kasan builds 



ice_type defined in local scope and is passed to class_create
function where it saves the passed buffer as name identifier.
Due to local scope the passed buffer becomes invalid and if
read during uevent can cause in stack-out-of-bounds errors.

This change adds two variable is_sdcc_ice and is_ufscard_ice
which is used to determine corrrect ice instance name. ice
instance names are global macro which is passed to clas_create
which fix stack-out-of-bound issue due to local scope.

Change-Id: I59e617263801a0741e45d423401ce1232b3d65d1
Signed-off-by: default avatarJiten Patel <jitepate@codeaurora.org>
parent 4b4163de

drivers/crypto/msm/ice.c

+21 −16
Original line number Diff line number Diff line
@@ -58,7 +58,6 @@ 


#define ICE_CRYPTO_CXT_FDE 1

#define ICE_CRYPTO_CXT_FBE 2

#define ICE_INSTANCE_TYPE_LENGTH 12



static int ice_fde_flag;
@@ -584,33 +583,37 @@ static int register_ice_device(struct ice_device *ice_dev) 
	unsigned int baseminor = 0;

	unsigned int count = 1;

	struct device *class_dev;

	char ice_type[ICE_INSTANCE_TYPE_LENGTH];



	if (!strcmp(ice_dev->ice_instance_type, "sdcc"))

		strlcpy(ice_type, QCOM_SDCC_ICE_DEV, sizeof(ice_type));

	else if (!strcmp(ice_dev->ice_instance_type, "ufscard"))

		strlcpy(ice_type, QCOM_UFS_CARD_ICE_DEV, sizeof(ice_type));

	else

		strlcpy(ice_type, QCOM_UFS_ICE_DEV, sizeof(ice_type));

	int is_sdcc_ice = !strcmp(ice_dev->ice_instance_type, "sdcc");

	int is_ufscard_ice = !strcmp(ice_dev->ice_instance_type, "ufscard");



	rc = alloc_chrdev_region(&ice_dev->device_no, baseminor, count,

			ice_type);

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

	if (rc < 0) {

		pr_err("alloc_chrdev_region failed %d for %s\n", rc,

			ice_type);

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

		return rc;

	}

	ice_dev->driver_class = class_create(THIS_MODULE, ice_type);

	ice_dev->driver_class = class_create(THIS_MODULE,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

	if (IS_ERR(ice_dev->driver_class)) {

		rc = -ENOMEM;

		pr_err("class_create failed %d for %s\n", rc, ice_type);

		pr_err("class_create failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

		goto exit_unreg_chrdev_region;

	}

	class_dev = device_create(ice_dev->driver_class, NULL,

					ice_dev->device_no, NULL, ice_type);

					ice_dev->device_no, NULL,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);



	if (!class_dev) {

		pr_err("class_device_create failed %d for %s\n", rc, ice_type);

		pr_err("class_device_create failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

		rc = -ENOMEM;

		goto exit_destroy_class;

	}
@@ -620,7 +623,9 @@ static int register_ice_device(struct ice_device *ice_dev) 


	rc = cdev_add(&ice_dev->cdev, MKDEV(MAJOR(ice_dev->device_no), 0), 1);

	if (rc < 0) {

		pr_err("cdev_add failed %d for %s\n", rc, ice_type);

		pr_err("cdev_add failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?

				QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);

		goto exit_destroy_device;

	}

	return  0;

include/crypto/ice.h

+1 −1
Original line number Diff line number Diff line
@@ -30,7 +30,7 @@ enum ice_crpto_key_mode { 
	ICE_CRYPTO_USE_LUT_SW_KEY  = 0x3

};



#define QCOM_ICE_TYPE_NAME_LEN 8

#define QCOM_ICE_TYPE_NAME_LEN 12



typedef void (*ice_error_cb)(void *, u32 error);