Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0e6ee3c9 authored by AnilKumar Chimata's avatar AnilKumar Chimata Committed by Gerrit - the friendly Code Review server
Browse files

qseecom: Fix stack out of bounds issue 



While copying the request buffer to temporary buffer large size
of request buffer is copied which leads to accessing stack out
of its size.

<3>[   24.265116] ==================================================================
<3>[   24.271333] BUG: KASAN: stack-out-of-bounds in memcpy+0x28/0x54 at addr ffffffc05890b744
<3>[   24.279388] Read of size 4096 by task vold/362
<0>[   24.283819] page:ffffffba494e3790 count:0 mapcount:0 mapping:          (null) index:0x0
<0>[   24.291800] flags: 0x0()
<1>[   24.294318] page dumped because: kasan: bad access detected
<6>[   24.299884] CPU: 1 PID: 362 Comm: vold Not tainted 3.18.20-g7bb9977 #1
<6>[   24.299895] Hardware name: Qualcomm Technologies, Inc. MSM8937-PMI8950 MTP (DT)
<0>[   24.299904] Call trace:
<6>[   24.302314] [<ffffffc00008c80c>] dump_backtrace+0x0/0x284
<6>[   24.302329] [<ffffffc00008caa0>] show_stack+0x10/0x1c
<6>[   24.302345] [<ffffffc001e7c4ac>] dump_stack+0x74/0xfc
<6>[   24.302362] [<ffffffc0002f8880>] kasan_report+0x3b4/0x504
<6>[   24.302376] [<ffffffc0002f7ae0>] __asan_loadN+0x20/0x14c
<6>[   24.302389] [<ffffffc0002f7fe4>] memcpy+0x24/0x54
<6>[   24.302406] [<ffffffc000bfdf80>] qseecom_scm_call2+0xec0/0x1c94
<6>[   24.302421] [<ffffffc000c00798>] qseecom_scm_call.constprop.41+0x64/0x7c
<6>[   24.302436] [<ffffffc000c0513c>] qseecom_create_key+0x304/0x680
<6>[   24.302450] [<ffffffc000c1084c>] qseecom_ioctl+0x2fb8/0x4944
<6>[   24.302464] [<ffffffc000333f70>] do_vfs_ioctl+0x9c8/0xb0c
<6>[   24.302476] [<ffffffc00033410c>] SyS_ioctl+0x58/0x8c
<3>[   24.302484] Memory state around the buggy address:
<3>[   24.307080]  ffffffc05890b680: f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00 00 00
<3>[   24.314283]  ffffffc05890b700: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[   24.321488] >ffffffc05890b780: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[   24.328690]                       ^
<3>[   24.332164]  ffffffc05890b800: 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
<3>[   24.339369]  ffffffc05890b880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
<3>[   24.346571] ==================================================================
<4>[   24.353777] Disabling lock debugging due to kernel taint
<3>[   24.533597] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
<6>[   24.541522] get_ice_device_from_storage_type: found ice device ffffffc05bd61f80
<3>[   24.545296] ==================================================================
<3>[   24.551503] BUG: KASAN: stack-out-of-bounds in memcpy+0x28/0x54 at addr ffffffc05890b7c4
<3>[   24.559558] Read of size 4096 by task vold/362
<0>[   24.563989] page:ffffffba494e3790 count:0 mapcount:0 mapping:          (null) index:0x0
<0>[   24.571966] flags: 0x0()
<1>[   24.574485] page dumped because: kasan: bad access detected
<6>[   24.580050] CPU: 1 PID: 362 Comm: vold Tainted: G    B          3.18.20-g7bb9977 #1
<6>[   24.580060] Hardware name: Qualcomm Technologies, Inc. MSM8937-PMI8950 MTP (DT)
<0>[   24.580069] Call trace:
<6>[   24.582482] [<ffffffc00008c80c>] dump_backtrace+0x0/0x284
<6>[   24.582497] [<ffffffc00008caa0>] show_stack+0x10/0x1c
<6>[   24.582513] [<ffffffc001e7c4ac>] dump_stack+0x74/0xfc
<6>[   24.582529] [<ffffffc0002f8880>] kasan_report+0x3b4/0x504
<6>[   24.582543] [<ffffffc0002f7ae0>] __asan_loadN+0x20/0x14c
<6>[   24.582556] [<ffffffc0002f7fe4>] memcpy+0x24/0x54
<6>[   24.582574] [<ffffffc000bfe128>] qseecom_scm_call2+0x1068/0x1c94
<6>[   24.582588] [<ffffffc000c00798>] qseecom_scm_call.constprop.41+0x64/0x7c
<6>[   24.582603] [<ffffffc000c04c30>] __qseecom_set_clear_ce_key+0xf4/0x2fc
<6>[   24.582616] [<ffffffc000c05334>] qseecom_create_key+0x4fc/0x680
<6>[   24.582630] [<ffffffc000c1084c>] qseecom_ioctl+0x2fb8/0x4944
<6>[   24.582644] [<ffffffc000333f70>] do_vfs_ioctl+0x9c8/0xb0c
<6>[   24.582656] [<ffffffc00033410c>] SyS_ioctl+0x58/0x8c
<3>[   24.582664] Memory state around the buggy address:
<3>[   24.587250]  ffffffc05890b700: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[   24.594453]  ffffffc05890b780: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[   24.601656] >ffffffc05890b800: 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
<3>[   24.608860]                          ^
<3>[   24.612596]  ffffffc05890b880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
<3>[   24.619802]  ffffffc05890b900: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
<3>[   24.627001] ==================================================================
<6>[   24.799462] get_ice_device_from_storage_type: found ice device ffffffc05bd61f80
<3>[   24.803065] QSEECOM: qseecom_create_key: Set the key successfully

Change-Id: Id683067d29531686dafe94114ba3329f87292923
Signed-off-by: default avatarAnilKumar Chimata <anilc@codeaurora.org>
parent c1551685
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment