diff options
| author | Hanumanth Reddy Pothula <c_hpothu@qti.qualcomm.com> | 2016-09-08 13:45:01 +0530 |
|---|---|---|
| committer | qcabuildsw <qcabuildsw@localhost> | 2017-01-28 04:49:55 -0800 |
| commit | acd8cecddf929c77cebfd3b71bbd82e64f102729 (patch) | |
| tree | 846a60f710ecf5b57192830bfcce6c6dfba7823b | |
| parent | d3c5ee53e5ef434ecab006e8566d4f55e04212b1 (diff) | |
qcacld-3.0: Fix out of bound issue in wlan_logging_proc_sock_rx_msg
qcacld-2.0 to qcacld-3.0 propagation.
Out of bound access is reported by kernel address
sanitizer (KASAN) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr
ffffffc03f9b1f94
Read of size 1024 by task WifiLogger_app/662
=================================================================
page dumped because: kasan: bad access detected
-----------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f7b74>] __asan_loadN+0x20/0x14c
[<ffffffc0002f8078>] memcpy+0x24/0x54
[<ffffffbffc3958ec>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc307648>] wlan_logging_proc_sock_rx_msg+0x39c/0x3f0 [wlan]
[<ffffffbffc3042f0>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc001a28b20>] netlink_unicast+0x3b0/0x4c0
[<ffffffc001a2975c>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc00196b658>] sock_sendmsg+0x1d4/0x22c
[<ffffffc001970278>] SyS_sendto+0x194/0x224
================================================================
There is possibility of out of bound memory access, if user sends
a netlink packet with message length greater than skb data_len.
Don't process netlink packet if message length is greater than
skb data_len.
Change-Id: Ice6492aa191da0af3fe4fc9b58dfddcb2a59d6d0
CRs-Fixed: 975923
| -rw-r--r-- | core/utils/logging/src/wlan_logging_sock_svc.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/core/utils/logging/src/wlan_logging_sock_svc.c b/core/utils/logging/src/wlan_logging_sock_svc.c index 4396139f6c18..a3f45d18f09a 100644 --- a/core/utils/logging/src/wlan_logging_sock_svc.c +++ b/core/utils/logging/src/wlan_logging_sock_svc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -887,6 +887,13 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb) return -EINVAL; } + if (wnl->wmsg.length > skb->data_len) { + LOGGING_TRACE(QDF_TRACE_LEVEL_ERROR, + "%s: invalid length msgLen:%x skb data_len:%x\n", + __func__, wnl->wmsg.length, skb->data_len); + return -EINVAL; + } + if (gapp_pid != INVALID_PID) { if (wnl->nlh.nlmsg_pid > gapp_pid) { gapp_pid = wnl->nlh.nlmsg_pid; |