korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-27 00:04:47 +08:00
Code Issues Packages Projects Releases Wiki Activity
d4ab9bc5f5
linux/include/trace/events
History
David Collins 1e0ca3d809 spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 
commit 2af28b241e upstream.

trace_spmi_write_begin() and trace_spmi_read_end() both call
memcpy() with a length of "len + 1".  This leads to one extra
byte being read beyond the end of the specified buffer.  Fix
this out-of-bound memory access by using a length of "len"
instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
...
Call trace:
 dump_backtrace+0x0/0x3e8
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xdc/0x11c
 print_address_description+0x74/0x384
 kasan_report+0x188/0x268
 kasan_check_range+0x270/0x2b0
 memcpy+0x90/0xe8
 trace_event_raw_event_spmi_read_end+0x1d0/0x234
 spmi_read_cmd+0x294/0x3ac
 spmi_ext_register_readl+0x84/0x9c
 regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
 _regmap_raw_read+0x40c/0x754
 regmap_raw_read+0x3a0/0x514
 regmap_bulk_read+0x418/0x494
 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
 ...
 __arm64_sys_read+0x4c/0x60
 invoke_syscall+0x80/0x218
 el0_svc_common+0xec/0x1c8
 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
 adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]

this frame has 1 object:
 [32, 33) 'status'

Memory state around the buggy address:
 ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
                                           ^
 ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
==================================================================

Fixes: a9fce37481 ("spmi: add command tracepoints for SPMI")
Cc: stable@vger.kernel.org
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: David Collins <quic_collinsd@quicinc.com>
Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-17 14:24:19 +02:00
..
9p.h
afs.h afs: Try to avoid taking RCU read lock when checking vnode validity 2021-09-13 09:10:39 +01:00
alarmtimer.h
asoc.h ASoC: soc-core: tidyup jack.h 2020-11-30 12:54:01 +00:00
avc.h selinux: add basic filtering for audit trace events 2020-08-21 17:07:29 -04:00
bcache.h block: remove superfluous param in blk_fill_rwbs() 2021-02-22 06:37:41 -07:00
block.h blktrace: fix blk_rq_merge documentation 2021-02-22 06:37:41 -07:00
bpf_test_run.h
bridge.h net: bridge: fdb: br_fdb_update can take flags directly 2019-11-01 10:32:43 -07:00
btrfs.h btrfs: use delalloc_bytes to determine flush amount for shrink_delalloc 2021-08-23 13:19:07 +02:00
cachefiles.h cachefiles: Fix oops with cachefiles_cull() due to NULL object 2021-10-05 11:22:06 +01:00
cgroup.h cgroup: Trace event cgroup id fields should be u64 2022-01-27 11:03:23 +01:00
clk.h clk: Trace clk_set_rate() "range" functions 2020-12-17 01:54:31 -08:00
cma.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
compaction.h mm/page_alloc: integrate classzone_idx and high_zoneidx 2020-06-03 20:09:44 -07:00
context_tracking.h
cpuhp.h
damon.h mm/damon: add a tracepoint 2021-09-08 11:50:24 -07:00
devfreq.h PM / devfreq: Add tracepoint for frequency changes 2020-10-26 10:52:37 +09:00
devlink.h devlink: Add a tracepoint for trap reports 2020-09-30 18:01:26 -07:00
dma_fence.h treewide: Add missing semicolons to __assign_str uses 2021-06-30 09:19:14 -04:00
erofs.h erofs: fix up erofs_lookup tracepoint 2021-09-23 23:21:34 +08:00
error_report.h tracing: add error_report_end trace point 2021-02-26 09:41:02 -08:00
ext4.h ext4: fix ext4_fc_stats trace point 2022-04-08 14:22:58 +02:00
f2fs.h f2fs: fix up f2fs_lookup tracepoints 2021-11-25 09:48:31 +01:00
fib6.h
fib.h
filelock.h locks: Remove extra "0x" in tracepoint format specifier 2020-09-01 18:09:34 -04:00
filemap.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
fs_dax.h
fscache.h fscache: Use refcount_t for the cookie refcount instead of atomic_t 2021-08-27 13:34:03 +01:00
fsi_master_aspeed.h fsi: aspeed: Add trace points 2019-11-08 11:28:20 +01:00
fsi_master_ast_cf.h
fsi_master_gpio.h
fsi.h trace: fsi: Print transfer size unsigned 2019-11-08 11:23:37 +01:00
gpio.h
gpu_mem.h gpu/trace: Minor comment updates for gpu_mem_total tracepoint 2020-05-07 13:32:57 -04:00
host1x.h
huge_memory.h khugepaged: introduce 'max_ptes_shared' tunable 2020-06-03 20:09:46 -07:00
hwmon.h
i2c.h
ib_mad.h
ib_umad.h
initcall.h
intel_iommu.h iommu/vt-d: Add prq_report trace event 2021-06-10 09:06:13 +02:00
intel_ish.h
intel-sst.h
io_uring.h io_uring: io_uring_complete() trace should take an integer 2021-09-03 16:59:06 -06:00
iocost.h blk-iocost: Add iocg idle state tracepoint 2020-12-17 07:55:44 -07:00
iommu.h
ipi.h
irq_matrix.h
irq.h
iscsi.h
jbd2.h jbd2,ext4: add a shrinker to release checkpointed buffers 2021-06-24 10:54:49 -04:00
kmem.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
kvm.h KVM: x86/mmu: Drop trace_kvm_age_page() tracepoint 2021-04-17 08:30:56 -04:00
kyber.h kyber: avoid q->disk dereferences in trace points 2021-10-15 21:02:57 -06:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-29 09:03:20 +02:00
lock.h
mce.h
mdio.h
migrate.h mm/migrate: demote pages during reclaim 2021-09-03 09:58:16 -07:00
mlxsw.h
mmap_lock.h mm: mmap_lock: add tracepoints around lock acquisition 2020-12-15 12:13:41 -08:00
mmap.h mm: mmap: add trace point of vm_unmapped_area 2020-04-02 09:35:30 -07:00
mmc.h
mmflags.h Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
module.h
mptcp.h mptcp: dump csum fields in mptcp_dump_mpext 2021-06-18 11:40:11 -07:00
napi.h tracing: Fix header include guards in trace event headers 2019-07-30 21:49:06 -04:00
nbd.h
neigh.h
net_probe_common.h
net.h net: use %px to print skb address in trace_netif_receive_skb 2021-07-15 10:28:48 -07:00
netfs.h netfs: Move cookie debug ID to struct netfs_cache_resources 2021-08-25 15:20:25 +01:00
netlink.h netlink: add tracepoint at NL_SET_ERR_MSG 2021-02-04 18:05:59 -08:00
nilfs2.h
nmi.h
objagg.h
oom.h
osnoise.h tracing: Fix spelling in osnoise tracer "interferences" -> "interference" 2021-06-28 14:12:27 -04:00
page_isolation.h
page_pool.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
page_ref.h mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) 2021-09-08 11:50:24 -07:00
pagemap.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
percpu.h
power_cpu_migrate.h
power.h PM: QoS: Simplify definitions of CPU latency QoS trace events 2020-02-13 11:26:39 +01:00
preemptirq.h tracing: Change offset type to s32 in preempt/irq tracepoints 2020-01-03 11:34:37 -05:00
printk.h
pwc.h
pwm.h pwm: Implement tracing for .get_state() and .apply_state() 2020-01-20 12:28:37 +01:00
qdisc.h qdisc: add new field for qdisc_enqueue tracepoint 2021-07-27 14:16:38 +01:00
qla.h scsi: qla2xxx: Suppress two recently introduced compiler warnings 2020-05-19 21:43:01 -04:00
qrtr.h net: qrtr: Add tracepoint support 2020-04-22 12:55:54 -07:00
rcu.h rcu/nocb: Unify timers 2021-05-12 12:10:23 -07:00
rdma_core.h RDMA/core: Add trace points to follow MR allocation 2020-01-07 16:10:53 -04:00
rdma.h RDMA/core: Move the rdma_show_ib_cm_event() macro 2020-08-24 16:01:47 -03:00
regulator.h regulator: core: Add regulator bypass trace points 2020-05-29 17:17:02 +01:00
rpcgss.h treewide: Add missing semicolons to __assign_str uses 2021-06-30 09:19:14 -04:00
rpcrdma.h xprtrdma: Add an xprtrdma_post_send_err tracepoint 2021-08-09 16:42:18 -04:00
rpm.h PM-runtime: add tracepoints for usage_count changes 2020-01-13 12:28:29 +01:00
rseq.h
rtc.h
rxrpc.h rxrpc: Fix decision on when to generate an IDLE ACK 2022-06-09 10:23:02 +02:00
sched.h sched/tracing: Remove the redundant 'success' in the sched tracepoint 2021-06-10 11:16:20 -04:00
scmi.h firmware: arm_scmi: Use signed integer to report transfer status 2020-06-30 14:07:08 +01:00
scsi.h scsi: core: Kill message byte 2021-05-31 22:48:24 -04:00
sctp.h sctp: move trace_sctp_probe_path into sctp_outq_sack 2019-12-26 13:06:45 -08:00
signal.h
siox.h
skb.h net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core() 2022-07-29 17:25:16 +02:00
smbus.h
sock.h net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer 2022-07-21 21:24:12 +02:00
spi.h spi: Enable tracing of the SPI setup CS selection 2021-05-26 21:22:13 +01:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-08-17 14:24:19 +02:00
sunrpc.h SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:26:57 +02:00
sunvnet.h
swiotlb.h
syscalls.h
target.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
task.h
tcp.h tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tegra_apb_dma.h tracing: Fix header include guards in trace event headers 2019-07-30 21:49:06 -04:00
thermal_power_allocator.h
thermal.h thermal: devfreq_cooling: change tracing function and arguments 2020-12-11 14:10:44 +01:00
thp.h
timer.h tracing: Fix various typos in comments 2021-03-23 14:08:18 -04:00
tlb.h
udp.h
ufs.h scsi: ufs: core: Enable power management for wlun 2021-05-10 22:28:20 -04:00
v4l2.h media: v4l2: abstract timeval handling in v4l2_buffer 2020-01-03 15:43:35 +01:00
vb2.h
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-06-09 10:22:43 +02:00
vsock_virtio_transport_common.h virtio/vsock: update trace event for SEQPACKET 2021-06-11 13:32:47 -07:00
wbt.h bdi: use bdi_dev_name() to get device name 2020-05-09 16:07:39 -06:00
workqueue.h workqueue/tracing: Copy workqueue name to buffer in trace event 2021-03-18 12:57:37 -04:00
writeback.h trace: replace WB_REASON_FOREIGN_FLUSH with a string 2021-06-10 11:16:20 -04:00
xdp.h xdp: Extend xdp_redirect_map with broadcast support 2021-05-26 09:46:16 +02:00
xen.h x86/mm/tlb: Flush remote and local TLBs concurrently 2021-03-06 12:59:10 +01:00