0
0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-21 10:05:00 +08:00
linux/drivers/base
Isaac J. Manjarres 963b54df82
regmap-irq: Fix out-of-bounds access when allocating config buffers
When allocating the 2D array for handling IRQ type registers in
regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix
with num_config_bases rows and num_config_regs columns.

This is currently handled by allocating a buffer to hold a pointer for
each row (i.e. num_config_bases). After that, the logic attempts to
allocate the memory required to hold the register configuration for
each row. However, instead of doing this allocation for each row
(i.e. num_config_bases allocations), the logic erroneously does this
allocation num_config_regs number of times.

This scenario can lead to out-of-bounds accesses when num_config_regs
is greater than num_config_bases. Fix this by updating the terminating
condition of the loop that allocates the memory for holding the register
configuration to allocate memory only for each row in the matrix.

Amit Pundir reported a crash that was occurring on his db845c device
due to memory corruption (see "Closes" tag for Amit's report). The KASAN
report below helped narrow it down to this issue:

[   14.033877][    T1] ==================================================================
[   14.042507][    T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364
[   14.050796][    T1] Write of size 8 at addr 06ffff8081021850 by task init/1

[   14.242004][    T1] The buggy address belongs to the object at ffffff8081021850
[   14.242004][    T1]  which belongs to the cache kmalloc-8 of size 8
[   14.255669][    T1] The buggy address is located 0 bytes inside of
[   14.255669][    T1]  8-byte region [ffffff8081021850, ffffff8081021858)

Fixes: faa87ce919 ("regmap-irq: Introduce config registers for irq types")
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Closes: https://lore.kernel.org/all/CAMi1Hd04mu6JojT3y6wyN2YeVkPR5R3qnkKJ8iR8if_YByCn4w@mail.gmail.com/
Tested-by: John Stultz <jstultz@google.com>
Tested-by: Amit Pundir <amit.pundir@linaro.org> # tested on Dragonboard 845c
Cc: stable@vger.kernel.org # v6.0+
Cc: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
Cc: Saravana Kannan <saravanak@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: "Isaac J. Manjarres" <isaacmanjarres@google.com>
Link: https://lore.kernel.org/r/20230711193059.2480971-1-isaacmanjarres@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2023-07-12 12:05:10 +01:00
..
firmware_loader firmware_loader: Fix a NULL vs IS_ERR() check 2023-05-31 20:31:00 +01:00
power Merge branches 'pm-sleep' and 'pm-domains' 2023-06-26 17:44:50 +02:00
regmap regmap-irq: Fix out-of-bounds access when allocating config buffers 2023-07-12 12:05:10 +01:00
test Merge 6.2-rc5 into driver-core-next 2023-01-22 12:56:55 +01:00
arch_numa.c mm: percpu: add generic pcpu_populate_pte() function 2022-01-20 08:52:52 +02:00
arch_topology.c arch_topology: Remove early cacheinfo error message if -ENOENT 2023-04-14 10:13:38 +01:00
attribute_container.c driver core: attribute_container: fix W=1 warnings 2021-05-14 13:37:10 +02:00
auxiliary.c driver core: make struct bus_type.uevent() take a const * 2023-01-27 13:45:52 +01:00
base.h driver core: class: make class_register() take a const * 2023-04-03 21:42:46 +02:00
bus.c driver core: bus: constify bus_get() 2023-03-23 13:21:24 +01:00
cacheinfo.c drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug 2023-05-31 20:36:47 +01:00
class.c driver core: class: properly reference count class_dev_iter() 2023-05-19 11:03:36 +01:00
component.c drivers: base: component: fix memory leak with using debugfs_lookup() 2023-02-08 13:33:10 +01:00
container.c
core.c driver core: update comments in device_rename() 2023-04-20 14:19:25 +02:00
cpu.c tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem 2023-04-05 13:47:43 +00:00
dd.c driver core: return bool from driver_probe_done 2023-06-05 10:55:20 -06:00
devcoredump.c driver core: class: mark the struct class for sysfs callbacks as constant 2023-03-29 07:54:58 +02:00
devres.c drivers/base: use ARCH_DMA_MINALIGN instead of ARCH_KMALLOC_MINALIGN 2023-06-19 16:19:20 -07:00
devtmpfs.c driver core: clean up the logic to determine which /sys/dev/ directory to use 2023-03-31 17:45:07 +02:00
driver.c driver core: create bus_is_registered() 2023-02-09 10:43:35 +01:00
firmware.c
hypervisor.c
init.c init: Initialize noop_backing_dev_info early 2022-06-16 10:55:57 +02:00
isa.c isa: Remove unnecessary checks 2023-05-31 19:03:39 +01:00
Kconfig driver core: Add CONFIG_FW_DEVLINK_SYNC_STATE_TIMEOUT 2023-03-28 18:45:59 +02:00
Makefile genirq: Get rid of GENERIC_MSI_IRQ_DOMAIN 2022-11-17 15:15:20 +01:00
map.c driver: base: Prefer unsigned int to bare use of unsigned 2021-07-21 17:30:09 +02:00
memory.c drivers/base/memory: Fix comments for phys_index_show() 2023-01-20 14:15:00 +01:00
module.c
node.c driver core changes for 6.5-rc1 2023-07-03 12:56:23 -07:00
physical_location.c driver core: location: Free struct acpi_pld_info *pld before return false 2023-01-20 14:20:30 +01:00
physical_location.h driver core: physical_location.h remove extern from function prototypes 2023-03-24 15:35:48 +01:00
pinctrl.c
platform-msi.c genirq/msi, platform-msi: Ensure that MSI descriptors are unreferenced 2023-03-02 18:09:44 +01:00
platform.c driver core: platform: simplify __platform_driver_probe() 2023-02-01 14:08:10 +01:00
property.c drivers: fwnode: fix fwnode_irq_get[_byname]() 2023-06-15 13:37:35 +02:00
soc.c base: soc: populate machine name in soc_device_register if empty 2023-03-29 12:21:23 +02:00
swnode.c driver core: make kobj_type structures constant 2023-02-08 13:34:30 +01:00
syscore.c syscore: Use pm_pr_dbg() for syscore_{suspend,resume}() 2020-09-08 13:32:06 +02:00
topology.c drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist 2022-07-15 17:36:33 +02:00
trace.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
trace.h devres: Enable trace events 2021-06-15 17:14:36 +02:00
transport_class.c drivers: base: transport_class: fix resource leak when transport_add_device() fails 2023-01-20 14:22:53 +01:00