Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1fcf7c55 authored by Dinesh K Garg's avatar Dinesh K Garg
Browse files

crypto: ice: Fix stack overflow while creating ICE device 



ICE driver creates ICE device. There could be either SDCC or UFS
based ICE device. Hence, ICE driver was using dynamic string to
register corresponding ICE device. However, API implementing MACRO
class_create(owner, name) expacts a const string. Providing MACRO
class_create(owner, name) with a dynamic string caused stack overflow.
Fixing this error by statically allocating ICE device name for both
SDCC and UFS based ICE device.

[   40.929774] BUG: KASan: out of bounds on stack in string.isra.5+0xb0/0x118 at addr ffffffc0715efad0
[   40.929787] Read of size 1 by task ueventd/402
[   40.929803] page:ffffffba463f1450 count:0 mapcount:0 mapping:          (null) index:0x0
[   40.929820] flags: 0x0()
[   40.929827] page dumped because: kasan: bad access detected
[   40.929848] CPU: 3 PID: 402 Comm: ueventd Tainted: G        W      3.18.20-ga7b28e9-13016-g2566284 #1
[   40.929857] Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 + PM8004 MTP (DT)
[   40.929870] Call trace:
[   40.929899] [<ffffffc000089ec4>] dump_backtrace+0x0/0x1c4
[   40.929911] [<ffffffc00008a098>] show_stack+0x10/0x1c
[   40.929936] [<ffffffc0011bdd0c>] dump_stack+0x74/0xc8
[   40.929962] [<ffffffc0002108f4>] kasan_report_error+0x2bc/0x414
[   40.929972] [<ffffffc000210b28>] kasan_report+0x34/0x40
[   40.929983] [<ffffffc00020ff80>] __asan_load1+0x64/0x70
[   40.929993] [<ffffffc00045aaa0>] string.isra.5+0xac/0x118
[   40.930006] [<ffffffc00045ca88>] vsnprintf+0x34c/0x69c
[   40.930017] [<ffffffc000451a58>] add_uevent_var+0xf4/0x1a8
[   40.930027] [<ffffffc000451d68>] kobject_uevent_env+0x25c/0x6f8
[   40.930037] [<ffffffc000452210>] kobject_uevent+0xc/0x18
[   40.930059] [<ffffffc000728c40>] uevent_store+0x88/0xcc
[   40.930070] [<ffffffc00072723c>] dev_attr_store+0x44/0x58
[   40.930088] [<ffffffc0002a7110>] sysfs_kf_write+0x8c/0xa4
[   40.930100] [<ffffffc0002a5da8>] kernfs_fop_write+0x15c/0x1b8
[   40.930117] [<ffffffc00021b0cc>] vfs_write+0x100/0x210
[   40.930129] [<ffffffc00021bb3c>] SyS_write+0xa8/0x114
[   40.930136] Memory state around the buggy address:
[   40.930156]  ffffffc0715ef980: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
[   40.930165]  ffffffc0715efa00: f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 06 f2 f2
[   40.930176] >ffffffc0715efa80: f2 f2 00 00 00 06 f3 f3 f3 f3 f3 f3 f3 f3 00 00
[   40.930182]                                                  ^
[   40.930194]  ffffffc0715efb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[   40.930202]  ffffffc0715efb80: f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
[   40.930208] ==================================================================
[   40.930451] ==================================================================
[   40.930479] BUG: KASan: out of bounds on stack in string.isra.5+0xb0/0x118 at addr ffffffc0715efad1
[   40.930488] Read of size 1 by task ueventd/402
[   40.930498] page:ffffffba463f1450 count:0 mapcount:0 mapping:          (null) index:0x0
[   40.930511] flags: 0x0()
[   40.930519] page dumped because: kasan: bad access detected

Change-Id: I5b7eadf428efeb846ebea5e53f805865eea20251
Signed-off-by: default avatarDinesh K Garg <dineshg@codeaurora.org>
parent 53d2912c

drivers/crypto/msm/ice.c

+16 −18
Original line number Diff line number Diff line
@@ -47,7 +47,8 @@ 
	TZ_SYSCALL_CREATE_PARAM_ID_0



#define ICE_REV(x, y) (((x) & ICE_CORE_##y##_REV_MASK) >> ICE_CORE_##y##_REV)

#define QCOM_ICE_DEV	"ice"

#define QCOM_UFS_ICE_DEV	"iceufs"

#define QCOM_SDCC_ICE_DEV	"icesdcc"

#define QCOM_ICE_TYPE_NAME_LEN 8

#define QCOM_ICE_MAX_BIST_CHECK_COUNT 100
@@ -719,34 +720,30 @@ static int register_ice_device(struct ice_device *ice_dev) 
	unsigned baseminor = 0;

	unsigned count = 1;

	struct device *class_dev;

	char tmp_dev_name[16];

	memset(tmp_dev_name, 0, 16);



	strlcpy(tmp_dev_name, QCOM_ICE_DEV, 8);

	strlcat(tmp_dev_name, ice_dev->ice_instance_type, 8);



	pr_debug("%s: instance type = %s device name = %s\n", __func__,

				ice_dev->ice_instance_type, tmp_dev_name);

	int is_sdcc_ice = !strcmp(ice_dev->ice_instance_type, "sdcc");



	rc = alloc_chrdev_region(&ice_dev->device_no, baseminor, count,

							tmp_dev_name);

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

	if (rc < 0) {

		pr_err("alloc_chrdev_region failed %d for %s\n",

						rc, tmp_dev_name);

		pr_err("alloc_chrdev_region failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

		return rc;

	}

	ice_dev->driver_class = class_create(THIS_MODULE, tmp_dev_name);

	ice_dev->driver_class = class_create(THIS_MODULE,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

	if (IS_ERR(ice_dev->driver_class)) {

		rc = -ENOMEM;

		pr_err("class_create failed %d for %s\n", rc, tmp_dev_name);

		pr_err("class_create failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

		goto exit_unreg_chrdev_region;

	}

	class_dev = device_create(ice_dev->driver_class, NULL,

					ice_dev->device_no, NULL, tmp_dev_name);

					ice_dev->device_no, NULL,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);



	if (!class_dev) {

		pr_err("class_device_create failed %d for %s\n",

							rc, tmp_dev_name);

		pr_err("class_device_create failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

		rc = -ENOMEM;

		goto exit_destroy_class;

	}
@@ -756,7 +753,8 @@ static int register_ice_device(struct ice_device *ice_dev) 


	rc = cdev_add(&ice_dev->cdev, MKDEV(MAJOR(ice_dev->device_no), 0), 1);

	if (rc < 0) {

		pr_err("cdev_add failed %d for %s\n", rc, tmp_dev_name);

		pr_err("cdev_add failed %d for %s\n", rc,

			is_sdcc_ice ? QCOM_SDCC_ICE_DEV : QCOM_UFS_ICE_DEV);

		goto exit_destroy_device;

	}

	return  0;