DivestOS/Patches/Linux_CVEs/CVE-2017-0619/ANY/0.patch

From 72f67b29a9c5e6e8d3c34751600c749c5f5e13e1 Mon Sep 17 00:00:00 2001
From: David Keitel <dkeitel@codeaurora.org>
Date: Thu, 16 Apr 2015 16:26:28 -0700
Subject: pinctrl: msm: fix function name allocation length

Currently pinctrl driver allocates with the length
following calculation:

  length = strlen(grp_name) + strlen("-func").

However, this does not take into account for the string
terminating character which is used in the subsequent
snprintf and causes KASan to trigger a bug report:

=============================================================================
BUG kmalloc-64 (Tainted: G    B       ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Slab 0xffffffbc065fb940 objects=64 used=64 fp=0x          (null) flags=0x0080
INFO: Object 0xffffffc0a32c24c0 @offset=1216 fp=0x6365632d696d6468

Bytes b4 ffffffc0a32c24b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffffffc0a32c24c0: 68 64 6d 69 2d 63 65 63 2d 70 69 6e 73 2d 66 75  hdmi-cec-pins-fu
Object ffffffc0a32c24d0: 6e 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00  nc..............
Object ffffffc0a32c24e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffffffc0a32c24f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B        3.10.49-g465b172-00127-g2b70c1d-dirty #119
Call trace:
[<ffffffc00040a2a4>] dump_backtrace+0x0/0x1d4
[<ffffffc00040a488>] show_stack+0x10/0x1c
[<ffffffc000f97164>] dump_stack+0x1c/0x28
[<ffffffc00054aea0>] print_trailer+0x144/0x158
[<ffffffc00054b1fc>] object_err+0x38/0x4c
[<ffffffc00054fec4>] kasan_report_error+0x210/0x3b0
[<ffffffc000550168>] kasan_report+0x5c/0x68
[<ffffffc00054f754>] __asan_store1+0x70/0x7c
[<ffffffc000766e20>] vsnprintf+0x644/0x69c
[<ffffffc000767034>] snprintf+0x94/0xb0
[<ffffffc000792510>] msm_dt_node_to_map+0x2cc/0x378
[<ffffffc0007915f0>] pinctrl_dt_to_map+0x32c/0x424
[<ffffffc00078ce24>] pinctrl_get+0x1b0/0x53c
[<ffffffc00078d1e4>] devm_pinctrl_get+0x34/0x80
[<ffffffc0009b9150>] pinctrl_bind_pins+0x44/0x1b4
[<ffffffc0009990a4>] driver_probe_device+0x188/0x47c
[<ffffffc000999484>] __driver_attach+0x88/0xc0
[<ffffffc0009963f4>] bus_for_each_dev+0xdc/0x11c
[<ffffffc00099886c>] driver_attach+0x2c/0x3c
[<ffffffc0009981bc>] bus_add_driver+0x1bc/0x32c
[<ffffffc000999cdc>] driver_register+0x10c/0x1d8
[<ffffffc00099b854>] platform_driver_register+0x98/0xa8
[<ffffffc00182aa78>] hdmi_tx_drv_init+0x18/0x4c
[<ffffffc000400b00>] do_one_initcall+0xcc/0x188
[<ffffffc001800b54>] kernel_init_freeable+0x1c0/0x264
[<ffffffc000f89b44>] kernel_init+0x10/0xcc
Memory state around the buggy address:
 ffffffc0a32c2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffffffc0a32c2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffffffc0a32c2480: fb fb fb fb fb fb fb fb 00 00 02 fc fc fc fc fc
                                                  ^
 ffffffc0a32c2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0a32c2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Fix this by increasing the allocation to length + 1

CRs-Fixed: 826566
Change-Id: Ied04500e6b0c0187b2bea0cfaa9adb4080c2f614
Signed-off-by: David Keitel <dkeitel@codeaurora.org>
Signed-off-by: Stepan Moskovchenko <stepanm@codeaurora.org>
---
 drivers/pinctrl/msm/pinctrl-msm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/pinctrl/msm/pinctrl-msm.c b/drivers/pinctrl/msm/pinctrl-msm.c
index b3b97a8..07f7b43 100644
--- a/drivers/pinctrl/msm/pinctrl-msm.c
+++ b/drivers/pinctrl/msm/pinctrl-msm.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -293,6 +293,7 @@ static int msm_dt_node_to_map(struct pinctrl_dev *pctldev,
 	char *fn_name;
 	u32 val;
 	unsigned long *cfg;
+	unsigned int fn_name_len = 0;
 	int cfg_cnt = 0, map_cnt = 0, func_cnt = 0, ret = 0;
 
 	dd = pinctrl_dev_get_drvdata(pctldev);
@@ -338,14 +339,14 @@ static int msm_dt_node_to_map(struct pinctrl_dev *pctldev,
 	}
 	/* Get function mapping */
 	of_property_read_u32(parent, "qcom,pin-func", &val);
-	fn_name = kzalloc(strlen(grp_name) + strlen("-func"),
-						GFP_KERNEL);
+
+	fn_name_len = strlen(grp_name) + strlen("-func") + 1;
+	fn_name = kzalloc(fn_name_len, GFP_KERNEL);
 	if (!fn_name) {
 		ret = -ENOMEM;
 		goto func_err;
 	}
-	snprintf(fn_name, strlen(grp_name) + strlen("-func") + 1, "%s%s",
-						grp_name, "-func");
+	snprintf(fn_name, fn_name_len, "%s-func", grp_name);
 	map[*nmaps].data.mux.group = grp_name;
 	map[*nmaps].data.mux.function = fn_name;
 	map[*nmaps].type = PIN_MAP_TYPE_MUX_GROUP;
-- 
cgit v1.1