diff options
| author | Se Wang (Patrick) Oh <sewango@codeaurora.org> | 2015-09-02 21:07:47 -0700 |
|---|---|---|
| committer | Jonathan Solnit <jsolnit@google.com> | 2017-07-26 13:50:44 -0700 |
| commit | 0b28c9afaba8ae7f05d4a2a289a96cef640e9cb2 (patch) | |
| tree | 1c680c80bc31ab0b9cb6b9ced5c8aa84037e98a8 | |
| parent | 655b2922bace25e10cb342ecebbb258c5f662e13 (diff) | |
BACKPORT: arm64: Fix out of bound access to compat_hwcap_strandroid-8.0.0_r0.9
As compat_hwcap_str[] doesn't end with 'NULL', c_show()
tries to read the next element even after the end of the
array. So add 'NULL' at the end of compat_hwcap_str[].
Below is the KASan report for referencing.
BUG: KASan: out of bounds access in c_show+0x110/0x248 at addr ffffffc0011f6370
Read of size 8 by task pool-1-thread-1/10526
page:ffffffbac14b39c0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x400(reserved)
page dumped because: kasan: bad access detected
Address belongs to variable compat_hwcap_str+0xb0/0xe0
CPU: 0 PID: 10526 Comm: pool-1-thread-1 Tainted: G B W 3.18.18-ga7b28e9-11552-ge4a827f #1
Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT)
Call trace:
[<ffffffc000089ec4>] dump_backtrace+0x0/0x1c4
[<ffffffc00008a098>] show_stack+0x10/0x1c
[<ffffffc0011a7c58>] dump_stack+0x74/0xc8
[<ffffffc00020e94c>] kasan_report_error+0x2b0/0x408
[<ffffffc00020eb80>] kasan_report+0x34/0x40
[<ffffffc00020db14>] __asan_load8+0x84/0x90
[<ffffffc000088ae8>] c_show+0x10c/0x248
[<ffffffc000245bb8>] traverse+0x1a8/0x320
[<ffffffc000245dc8>] seq_lseek+0x98/0x148
[<ffffffc00028f4e0>] proc_reg_llseek+0xa0/0xd8
[<ffffffc000217d1c>] vfs_llseek+0x5c/0x70
[<ffffffc000218b0c>] SyS_lseek+0x48/0x80
[<ffffffc000218b50>] compat_SyS_lseek+0xc/0x18
Memory state around the buggy address:
ffffffc0011f6200: 00 00 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
ffffffc0011f6280: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>ffffffc0011f6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
^
ffffffc0011f6380: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffc0011f6400: 02 fa fa fa fa fa fa fa 00 00 00 02 fa fa fa fa
Change-Id: I5e2098f9a7a676c47a01baf10de3ac1c86265e69
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
Bug: 38198574
(cherry picked from 9f261e5dfe101bbe35043822a89bffa78e080b3b)
Signed-off-by: Jonathan Solnit <jsolnit@google.com>
| -rw-r--r-- | arch/arm64/kernel/cpuinfo.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c index 220b161c847e..81fe6cff9569 100644 --- a/arch/arm64/kernel/cpuinfo.c +++ b/arch/arm64/kernel/cpuinfo.c @@ -84,7 +84,8 @@ static const char *compat_hwcap_str[] = { "idivt", "vfpd32", "lpae", - "evtstrm" + "evtstrm", + NULL }; static const char *compat_hwcap2_str[] = { |