Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit db2c9496 authored by Manaf Meethalavalappu Pallikunhi's avatar Manaf Meethalavalappu Pallikunhi Committed by Gerrit - the friendly Code Review server
Browse files

drivers: lmh_dcvsh: Use allocated variable for LMH DCVSh sensor name 



LMH DCVSh device uses stack memory for sensor name and passes
this stack variable pointer as devname argument while registering
LMH DCVSh interrupt. But interrupt framework saves this pointer and
try to dereference data in a different context. It leads to a
stack-out-of-bounds issue.

To fix this issue, use allocated memory variable to store sensor
name and pass the same while registering interrupt.

==================================================================
BUG: KASAN: stack-out-of-bounds in strcpy+0x24/0x50 at
addr ffffffc0d37e3ac0
Read of size 1 by task kworker/0:1H/593
==================================================================
page dumped because: kasan: bad access detected
kworker/0:1H Tainted: G  W  4.4.21+ #1
------------------------------------------------------------------
Call trace:
[<ffffff900808a78c>] dump_backtrace+0x0/0x2c0
[<ffffff900808aa70>] show_stack+0x24/0x30
[<ffffff90084bd8c4>] dump_stack+0xbc/0xf8
[<ffffff9008263ce8>] kasan_report+0x3b0/0x4f8
[<ffffff900826308c>] __asan_load1+0x24/0x50
[<ffffff90084c8c54>] strcpy+0x24/0x50
[<ffffff90080b2fc8>]
		trace_event_raw_event_irq_handler_entry+0x134/0x180
[<ffffff900813e718>] handle_irq_event_percpu+0x33c/0x3e0
[<ffffff900813e828>] handle_irq_event+0x6c/0xb0
[<ffffff9008143bf4>] handle_fasteoi_irq+0x10c/0x1d4
[<ffffff900813d750>] generic_handle_irq+0x40/0x50
[<ffffff900813dbcc>] __handle_domain_irq+0xb0/0xe4
[<ffffff9008081ab8>] gic_handle_irq+0xd8/0x1a0
Memory state around the buggy address:
ffffffc0d37e3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffffc0d37e3a00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
ffffffc0d37e3a80: f2 f2 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00
                                           ^
ffffffc0d37e3b00: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
ffffffc0d37e3b80: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
==================================================================

CRs-Fixed: 2015855
Change-Id: I22bd8ff4cd6d6a2389be37c35e23fb86221de5c6
Signed-off-by: default avatarManaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
parent ec235450
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment