Commit 445fb9b8 authored by Bart Van Assche's avatar Bart Van Assche Committed by Treehugger Robot
Browse files

ANDROID: firmware_loader: Fix a buffer underflow in firmware_param_path_get() 



Fix the following KASAN complaint:

BUG: KASAN: slab-out-of-bounds in firmware_param_path_get+0x11e/0x130
Write of size 1 at addr ffff888156945fff by task dracut/7151

CPU: 114 UID: 0 PID: 7151 Comm: dracut Not tainted 6.12.23-dbg #14 b37048002fbe82089398ca883b3197e4fe6e7ef6
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 show_stack+0x4d/0x60
 dump_stack_lvl+0x61/0x80
 print_address_description.constprop.0+0x8b/0x320
 print_report+0xe7/0x1c5
 kasan_report+0xd1/0x1c0
 __asan_report_store1_noabort+0x1b/0x20
 firmware_param_path_get+0x11e/0x130
 param_attr_show+0x13b/0x200
 module_attr_show+0x46/0x70
 sysfs_kf_seq_show+0x1f2/0x350
 kernfs_seq_show+0x118/0x160
 seq_read_iter+0x2bb/0x1040
 kernfs_fop_read_iter+0xe9/0x150
 vfs_read+0x711/0xd40
 ksys_read+0x10b/0x200
 __x64_sys_read+0x76/0xb0
 x64_sys_call+0x1678/0x1790
 do_syscall_64+0x92/0x180
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
 </TASK>

Allocated by task 7093:
 kasan_save_stack+0x2f/0x50
 kasan_save_track+0x18/0x40
 kasan_save_alloc_info+0x3b/0x50
 __kasan_kmalloc+0xaf/0xc0
 __kmalloc_node_noprof+0x1cd/0x4c0
 __kvmalloc_node_noprof+0x55/0x100
 seq_read_iter+0x6af/0x1040
 proc_reg_read_iter+0x1a6/0x270
 vfs_read+0x711/0xd40
 ksys_read+0x10b/0x200
 __x64_sys_read+0x76/0xb0
 x64_sys_call+0x1678/0x1790
 do_syscall_64+0x92/0x180
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Freed by task 7093:
 kasan_save_stack+0x2f/0x50
 kasan_save_track+0x18/0x40
 kasan_save_free_info+0x3f/0x50
 __kasan_slab_free+0x56/0x70
 kfree+0x13b/0x3f0
 kvfree+0x2d/0x40
 single_release+0x77/0xc0
 close_pdeo.part.0+0xe3/0x2d0
 close_pdeo+0x155/0x170
 proc_reg_release+0x16d/0x1d0
 __fput+0x356/0xa40
 __fput_sync+0x2f/0x40
 __x64_sys_close+0x81/0xd0
 x64_sys_call+0x11fc/0x1790
 do_syscall_64+0x92/0x180
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Bug: 420669812
Test: blktests nvme/044
Fixes: ac1a02df ("ANDROID: firmware_loader: Add support for customer firmware paths")
Change-Id: I1fbf1f8d48e4611468e2ad80650001afdd3ea784
Signed-off-by: default avatarBart Van Assche <bvanassche@google.com>
parent 077de228
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment