diff options
| author | AnilKumar Chimata <anilc@codeaurora.org> | 2016-02-10 19:30:50 +0530 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 21:20:33 -0700 |
| commit | 2f0b2a8d5f16113d38ef198252a761f0cc4224bb (patch) | |
| tree | 9181759b2a09036a441cc806a6eea2e72d0efb05 /include/uapi/linux | |
| parent | 79e5686c6b80c5ed1f9aed01c76fc9a2b5a8cdfa (diff) | |
qseecom: Fix stack out of bounds issue
While copying the request buffer to temporary buffer large size
of request buffer is copied which leads to accessing stack out
of its size.
<3>[ 24.265116] ==================================================================
<3>[ 24.271333] BUG: KASAN: stack-out-of-bounds in memcpy+0x28/0x54 at addr ffffffc05890b744
<3>[ 24.279388] Read of size 4096 by task vold/362
<0>[ 24.283819] page:ffffffba494e3790 count:0 mapcount:0 mapping: (null) index:0x0
<0>[ 24.291800] flags: 0x0()
<1>[ 24.294318] page dumped because: kasan: bad access detected
<6>[ 24.299884] CPU: 1 PID: 362 Comm: vold Not tainted 3.18.20-g7bb9977 #1
<6>[ 24.299895] Hardware name: Qualcomm Technologies, Inc. MSM8937-PMI8950 MTP (DT)
<0>[ 24.299904] Call trace:
<6>[ 24.302314] [<ffffffc00008c80c>] dump_backtrace+0x0/0x284
<6>[ 24.302329] [<ffffffc00008caa0>] show_stack+0x10/0x1c
<6>[ 24.302345] [<ffffffc001e7c4ac>] dump_stack+0x74/0xfc
<6>[ 24.302362] [<ffffffc0002f8880>] kasan_report+0x3b4/0x504
<6>[ 24.302376] [<ffffffc0002f7ae0>] __asan_loadN+0x20/0x14c
<6>[ 24.302389] [<ffffffc0002f7fe4>] memcpy+0x24/0x54
<6>[ 24.302406] [<ffffffc000bfdf80>] qseecom_scm_call2+0xec0/0x1c94
<6>[ 24.302421] [<ffffffc000c00798>] qseecom_scm_call.constprop.41+0x64/0x7c
<6>[ 24.302436] [<ffffffc000c0513c>] qseecom_create_key+0x304/0x680
<6>[ 24.302450] [<ffffffc000c1084c>] qseecom_ioctl+0x2fb8/0x4944
<6>[ 24.302464] [<ffffffc000333f70>] do_vfs_ioctl+0x9c8/0xb0c
<6>[ 24.302476] [<ffffffc00033410c>] SyS_ioctl+0x58/0x8c
<3>[ 24.302484] Memory state around the buggy address:
<3>[ 24.307080] ffffffc05890b680: f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00 00 00
<3>[ 24.314283] ffffffc05890b700: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[ 24.321488] >ffffffc05890b780: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[ 24.328690] ^
<3>[ 24.332164] ffffffc05890b800: 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
<3>[ 24.339369] ffffffc05890b880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
<3>[ 24.346571] ==================================================================
<4>[ 24.353777] Disabling lock debugging due to kernel taint
<3>[ 24.533597] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
<6>[ 24.541522] get_ice_device_from_storage_type: found ice device ffffffc05bd61f80
<3>[ 24.545296] ==================================================================
<3>[ 24.551503] BUG: KASAN: stack-out-of-bounds in memcpy+0x28/0x54 at addr ffffffc05890b7c4
<3>[ 24.559558] Read of size 4096 by task vold/362
<0>[ 24.563989] page:ffffffba494e3790 count:0 mapcount:0 mapping: (null) index:0x0
<0>[ 24.571966] flags: 0x0()
<1>[ 24.574485] page dumped because: kasan: bad access detected
<6>[ 24.580050] CPU: 1 PID: 362 Comm: vold Tainted: G B 3.18.20-g7bb9977 #1
<6>[ 24.580060] Hardware name: Qualcomm Technologies, Inc. MSM8937-PMI8950 MTP (DT)
<0>[ 24.580069] Call trace:
<6>[ 24.582482] [<ffffffc00008c80c>] dump_backtrace+0x0/0x284
<6>[ 24.582497] [<ffffffc00008caa0>] show_stack+0x10/0x1c
<6>[ 24.582513] [<ffffffc001e7c4ac>] dump_stack+0x74/0xfc
<6>[ 24.582529] [<ffffffc0002f8880>] kasan_report+0x3b4/0x504
<6>[ 24.582543] [<ffffffc0002f7ae0>] __asan_loadN+0x20/0x14c
<6>[ 24.582556] [<ffffffc0002f7fe4>] memcpy+0x24/0x54
<6>[ 24.582574] [<ffffffc000bfe128>] qseecom_scm_call2+0x1068/0x1c94
<6>[ 24.582588] [<ffffffc000c00798>] qseecom_scm_call.constprop.41+0x64/0x7c
<6>[ 24.582603] [<ffffffc000c04c30>] __qseecom_set_clear_ce_key+0xf4/0x2fc
<6>[ 24.582616] [<ffffffc000c05334>] qseecom_create_key+0x4fc/0x680
<6>[ 24.582630] [<ffffffc000c1084c>] qseecom_ioctl+0x2fb8/0x4944
<6>[ 24.582644] [<ffffffc000333f70>] do_vfs_ioctl+0x9c8/0xb0c
<6>[ 24.582656] [<ffffffc00033410c>] SyS_ioctl+0x58/0x8c
<3>[ 24.582664] Memory state around the buggy address:
<3>[ 24.587250] ffffffc05890b700: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[ 24.594453] ffffffc05890b780: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
<3>[ 24.601656] >ffffffc05890b800: 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
<3>[ 24.608860] ^
<3>[ 24.612596] ffffffc05890b880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
<3>[ 24.619802] ffffffc05890b900: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
<3>[ 24.627001] ==================================================================
<6>[ 24.799462] get_ice_device_from_storage_type: found ice device ffffffc05bd61f80
<3>[ 24.803065] QSEECOM: qseecom_create_key: Set the key successfully
Change-Id: Id683067d29531686dafe94114ba3329f87292923
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
Diffstat (limited to 'include/uapi/linux')
0 files changed, 0 insertions, 0 deletions