diff options
| author | Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com> | 2016-04-07 11:48:58 +0530 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-05-23 16:09:44 +0530 |
| commit | 11ef0f5811ebcafe42243bb0502c841b3e10c056 (patch) | |
| tree | 3def6af9cd29329a0f5f3d4c8be2a32668b56d44 | |
| parent | 77deb8f06c8ad8597877e8adbed7d97ef7006fc0 (diff) | |
qcacld-2.0: Fix out of bound issue in wlan_logging_proc_sock_rx_msg
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASAN) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr
ffffffc03f9b1f94
Read of size 1024 by task WifiLogger_app/662
=================================================================
page dumped because: kasan: bad access detected
-----------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f7b74>] __asan_loadN+0x20/0x14c
[<ffffffc0002f8078>] memcpy+0x24/0x54
[<ffffffbffc3958ec>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc307648>] wlan_logging_proc_sock_rx_msg+0x39c/0x3f0 [wlan]
[<ffffffbffc3042f0>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc001a28b20>] netlink_unicast+0x3b0/0x4c0
[<ffffffc001a2975c>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc00196b658>] sock_sendmsg+0x1d4/0x22c
[<ffffffc001970278>] SyS_sendto+0x194/0x224
================================================================
There is possibility of out of bound memory access, if user sends
a netlink packet with message length greater than skb data_len.
Don't process netlink packet if message length is greater than
skb data_len.
Change-Id: Ice6492aa191da0af3fe4fc9b58dfddcb2a59d6d0
CRs-Fixed: 975923
| -rw-r--r-- | CORE/SVC/src/logging/wlan_logging_sock_svc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/CORE/SVC/src/logging/wlan_logging_sock_svc.c b/CORE/SVC/src/logging/wlan_logging_sock_svc.c index 1dd4dc0a2e86..104659e91446 100644 --- a/CORE/SVC/src/logging/wlan_logging_sock_svc.c +++ b/CORE/SVC/src/logging/wlan_logging_sock_svc.c @@ -831,6 +831,13 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb) return -EINVAL; } + if (wnl->wmsg.length > skb->data_len) { + LOGGING_TRACE(VOS_TRACE_LEVEL_ERROR, + "%s: invalid length msgLen:%x skb data_len:%x\n", + __func__, wnl->wmsg.length, skb->data_len); + return -EINVAL; + } + if (gapp_pid != INVALID_PID) { if (wnl->nlh.nlmsg_pid > gapp_pid) { gapp_pid = wnl->nlh.nlmsg_pid; |