Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 14038bca authored by Ravi Aravamudhan's avatar Ravi Aravamudhan
Browse files

diag: Fix out of bounds memory access 



Diag driver incorrectly loops through the control socket channels.
This could lead to out-of-bounds memory access. Make changes to
loop through the total number of peripherals.

KASan report
[   41.639007] ==================================================================
[   41.639017] ==================================================================
[   41.639029] BUG: KASan: out of bounds access in cntl_socket_read_work_fn+0x250/0x544 at addr ffffffc0020f0514
[   41.639036] Read of size 4 by task kworker/u8:5/237
[   41.639048] page:ffffffbac1549600 count:1 mapcount:0 mapping:          (null) index:0x0
[   41.639063] flags: 0x400(reserved)
[   41.639069] page dumped because: kasan: bad access detected
[   41.639081] Address belongs to variable socket_dci_cmd+0x474/0x480
[   41.639095] CPU: 0 PID: 237 Comm: kworker/u8:5 Tainted: G        W      3.18.18-ga4afe1d-dirty #3
[   41.639104] Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT)
[   41.639119] Workqueue: DIAG_CNTL_SOCKET cntl_socket_read_work_fn
[   41.639125] Call trace:
[   41.639138] [<ffffffc000089e38>] dump_backtrace+0x0/0x1c4
[   41.639151] [<ffffffc00008a00c>] show_stack+0x10/0x1c
[   41.639162] [<ffffffc001188404>] dump_stack+0x74/0xc8
[   41.639175] [<ffffffc00020d65c>] kasan_report_error+0x2b0/0x408
[   41.639185] [<ffffffc00020d890>] kasan_report+0x34/0x40
[   41.639196] [<ffffffc00020c700>] __asan_load4+0x84/0x90
[   41.639206] [<ffffffc00069cbb8>] cntl_socket_read_work_fn+0x24c/0x544
[   41.639219] [<ffffffc0000ca58c>] process_one_work+0x394/0x64c
[   41.639231] [<ffffffc0000cb94c>] worker_thread+0x3bc/0x550
[   41.639242] [<ffffffc0000d1f00>] kthread+0x180/0x194
[   41.639249] Memory state around the buggy address:
[   41.639259]  ffffffc0020f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.639270]  ffffffc0020f0480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.639279] >ffffffc0020f0500: fa fa fa fa 00 00 00 00 00 fa fa fa fa fa fa fa
[   41.639285]                          ^
[   41.639295]  ffffffc0020f0580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.639306]  ffffffc0020f0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.639312] ==================================================================
[   41.643042] ==================================================================

Change-Id: Ida981a44c1d69d2f6af70fc2a09a1f7149cefc0a
Signed-off-by: default avatarRavi Aravamudhan <aravamud@codeaurora.org>
parent 77813844
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment