openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux/drivers
History
Mark A. Greer f873ded213 mwifiex: debugfs: Fix out of bounds array access 
When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
the following panic occurs:

$ cat /sys/kernel/debug/mwifiex/p2p0/info
Unable to handle kernel paging request at virtual address 74706164
pgd = de530000
[74706164] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
task: de16b6c0 ti: de048000 task.ti: de048000
PC is at strnlen+0xc/0x4c
LR is at string+0x3c/0xf8
pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
sp : de049e10  ip : c06efba0  fp : de6d2092
r10: bf01a260  r9 : ffffffff  r8 : 74706164
r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9e530019  DAC: 00000015
Process cat (pid: 1635, stack limit = 0xde048240)
Stack: (0xde049e10 to 0xde04a000)
9e00:                                     de6d2092 00000002 bf01a25e de6d209c
9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
[<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
[<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
[<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
[<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
[<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
[<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
[<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
---[ end trace ca98273dc605a04f ]---

The panic is caused by the mwifiex_info_read() routine assuming that
there can only be four modes (0-3) which is an invalid assumption.
For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
code accesses data beyond the bounds of the bss_modes[] array which
causes the panic.  Fix this by updating bss_modes[] to support the
current list of modes and adding a check to prevent the out-of-bounds
access from occuring in the future when more modes are added.

Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
 		2013-06-12 10:20:55 -04:00
..
accessibility
acpi ACPICA fixes for 3.10-rc1 2013-05-09 16:33:42 -07:00
amba
ata ARM: arm-soc: late cleanups 2013-05-07 11:22:14 -07:00
atm atm: he: use mdelay instead of large udelay constants 2013-04-29 13:26:48 -04:00
auxdisplay
base Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2013-05-01 13:20:04 -07:00
bcma bcma: add more core IDs 2013-05-17 14:31:05 -04:00
block Merge git://git.infradead.org/users/willy/linux-nvme 2013-05-09 16:35:00 -07:00
bluetooth Bluetooth: btmrvl: support Marvell Bluetooth device SD8897 2013-06-12 10:20:54 -04:00
bus
cdrom block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
char aio: don't include aio.h in sched.h 2013-05-07 20:16:25 -07:00
clk ARM: late Exynos multiplatform changes 2013-05-07 11:28:42 -07:00
clocksource ARM: late Exynos multiplatform changes 2013-05-07 11:28:42 -07:00
connector
cpufreq Merge branch 'pm-cpufreq' 2013-04-29 00:08:46 +02:00
cpuidle cpuidle: add maintainer entry 2013-04-26 22:30:25 +02:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2013-05-02 14:53:12 -07:00
dca
devfreq
dio
dma Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma 2013-05-09 09:46:45 -07:00
edac Two small EDAC fixes. 2013-05-09 10:11:08 -07:00
eisa PCI changes for the v3.10 merge window: 2013-04-29 09:30:25 -07:00
extcon Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
firewire IEEE 1394 (FireWire) subsystem changes: 2013-05-09 10:11:48 -07:00
firmware Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
gpio Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
gpu Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2013-05-02 19:40:34 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-04-30 09:37:55 -07:00
hsi
hv Merge branch 'x86-paravirt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:41:21 -07:00
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2013-05-04 13:44:38 -07:00
hwspinlock A single patch from Vincent extending OMAP's hwspinlock support to OMAP5. 2013-05-07 14:01:27 -07:00
i2c Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
ide block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
idle Merge branch 'pm-cpuidle' 2013-04-28 01:54:49 +02:00
iio
infiniband InfiniBand/RDMA changes for the 3.10 merge window: 2013-05-08 15:29:48 -07:00
input Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
iommu IOMMU Updates for Linux v3.10 2013-05-06 14:59:13 -07:00
ipack
irqchip ARM: late Exynos multiplatform changes 2013-05-07 11:28:42 -07:00
isdn Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
leds Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
lguest Lots of virtio work which wasn't quite ready for last merge window. Plus 2013-05-02 14:14:04 -07:00
macintosh Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-05-02 10:16:16 -07:00
mailbox
md Merge branch 'for-3.10/drivers' of git://git.kernel.dk/linux-block 2013-05-08 11:51:05 -07:00
media Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2013-05-02 14:38:53 -07:00
memory
memstick block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
message Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block 2013-05-08 10:13:35 -07:00
mfd For 3.10 we have a few new MFD drivers for: 2013-05-05 17:36:20 -07:00
misc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-07 15:14:53 -07:00
mtd - Lots of cleanups from Artem, including deletion of some obsolete drivers 2013-05-09 10:15:46 -07:00
net mwifiex: debugfs: Fix out of bounds array access 2013-06-12 10:20:55 -04:00
nfc NFC: mei: Do not disable MEI devices from their remove routine 2013-05-21 10:48:41 +02:00
ntb
nubus nubus: Kill nubus_proc_detach_device() 2013-05-04 14:47:26 -04:00
of net: of_mdio: fix behavior on missing phy device 2013-05-08 13:13:29 -07:00
oprofile
parisc parisc: fix partly 16/64k PAGE_SIZE boot 2013-05-06 23:08:32 +02:00
parport
pci PCI updates for v3.10: 2013-05-09 10:21:44 -07:00
pcmcia
pinctrl Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
platform Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
pnp Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-05-02 10:16:16 -07:00
power For 3.10 we have a few new MFD drivers for: 2013-05-05 17:36:20 -07:00
pps Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ps3
ptp
pwm pwm: lpc32xx: Don't change PWM_ENABLE bit in lpc32xx_pwm_config 2013-04-23 10:58:47 +02:00
rapidio
regulator Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
remoteproc This pull request contains: 2013-05-07 14:04:56 -07:00
reset
rpmsg A small pull request consisting of: 2013-05-07 14:02:00 -07:00
rtc Merge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile 2013-05-09 14:34:58 -07:00
s390 Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block 2013-05-08 10:13:35 -07:00
sbus
scsi Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block 2013-05-08 10:13:35 -07:00
sfi
sh
sn
spi Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
ssb - Lots of cleanups from Artem, including deletion of some obsolete drivers 2013-05-09 10:15:46 -07:00
ssbi
staging Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
target Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
tc
thermal Merge branch 'cpu_cooling-doc-comments-update' of .git into next 2013-04-27 09:28:56 +08:00
tty ARM: arm-soc: late cleanups 2013-05-07 11:22:14 -07:00
uio
usb Merge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile 2013-05-09 14:34:58 -07:00
uwb uwb: rename random32() to prandom_u32() 2013-04-29 18:28:43 -07:00
vfio vfio updates for v3.10 2013-05-02 14:02:32 -07:00
vhost vhost: more fixes for 3.10 2013-05-07 10:13:52 -07:00
video video: mxsfb: Adapt to new videomode API 2013-05-09 13:06:00 -07:00
virt
virtio
vlynq
vme
w1 Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
watchdog watchdog: Fix race condition in registration code 2013-05-09 08:13:41 +02:00
xen zcache/tmem: Better error checking on frontswap_register_ops return value. 2013-04-30 17:04:01 -07:00
zorro proc: Supply PDE attribute setting accessor functions 2013-05-01 17:29:18 -04:00
Kconfig ARM: arm-soc driver changes for 3.10 2013-05-04 12:31:18 -07:00
Makefile ARM: arm-soc driver changes for 3.10 2013-05-04 12:31:18 -07:00