DivestOS/Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch
2017-11-07 17:32:46 -05:00

82 lines
3.6 KiB
Diff

From 6975e2dd5f37de965093ba3a8a08635a77a960f7 Mon Sep 17 00:00:00 2001
From: David Keitel <dkeitel@codeaurora.org>
Date: Mon, 20 Apr 2015 15:51:33 -0700
Subject: bcl: fix allocation for BCL attribute
The size of the BCL attribute is incorrect due to a precedence bug:
This was observed while booting with Kernel Address Sanitizer(KASan) enabled.
=============================================================================
BUG kmalloc-64 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Slab 0xffffffbc0661c6e0 objects=64 used=64 fp=0x (null) flags=0x0080
INFO: Object 0xffffffc0a360bb00 @offset=2816 fp=0xffffffc0a3454728
Bytes b4 ffffffc0a360baf0: 3f 37 9c 1c 00 00 00 00 02 00 02 00 a9 4e ad de ?7...........N..
Object ffffffc0a360bb00: 28 47 45 a3 c0 ff ff ff 48 47 45 a3 c0 ff ff ff (GE.....HGE.....
Object ffffffc0a360bb10: 68 47 45 a3 c0 ff ff ff 00 00 00 00 00 00 00 00 hGE.............
Object ffffffc0a360bb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffffffc0a360bb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 3.10.49-g465b172-00133-gb931dc1 #134
Call trace:
[<ffffffc00040a2a4>] dump_backtrace+0x0/0x1d4
[<ffffffc00040a488>] show_stack+0x10/0x1c
[<ffffffc000f971a4>] dump_stack+0x1c/0x28
[<ffffffc00054aeb4>] print_trailer+0x144/0x158
[<ffffffc00054b210>] object_err+0x38/0x4c
[<ffffffc00054fed8>] kasan_report_error+0x210/0x3b0
[<ffffffc000550188>] kasan_report+0x68/0x78
[<ffffffc00054f1b0>] __asan_load8+0x90/0x9c
[<ffffffc0005dff78>] internal_create_group+0x1a0/0x2f4
[<ffffffc0005e00dc>] sysfs_create_group+0x10/0x1c
[<ffffffc000c5eb9c>] msm_bcl_register_param+0x384/0x450
[<ffffffc000c61758>] bcl_probe+0x840/0xb84
[<ffffffc000a394b8>] spmi_drv_probe+0x2c/0x3c
[<ffffffc000999150>] driver_probe_device+0x1f4/0x47c
[<ffffffc0009994c4>] __driver_attach+0x88/0xc0
[<ffffffc000996434>] bus_for_each_dev+0xdc/0x11c
[<ffffffc0009988ac>] driver_attach+0x2c/0x3c
[<ffffffc0009981fc>] bus_add_driver+0x1bc/0x32c
[<ffffffc000999d1c>] driver_register+0x10c/0x1d8
[<ffffffc000a39a30>] spmi_driver_register+0x98/0xa8
[<ffffffc00183a300>] bcl_perph_init+0x2c/0x38
[<ffffffc000400b00>] do_one_initcall+0xcc/0x188
[<ffffffc001800b54>] kernel_init_freeable+0x1c0/0x264
[<ffffffc000f89b84>] kernel_init+0x10/0xcc
Memory state around the buggy address:
ffffffc0a360ba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0a360ba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0a360bb00: 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc fc
^
ffffffc0a360bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffffc0a360bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fix this by adding parantheses to fix precedence.
CRs-Fixed: 826589
Change-Id: Ia58b6e52c491b89b10a2b8fe45445372bfe9fa20
Signed-off-by: David Keitel <dkeitel@codeaurora.org>
---
drivers/power/msm_bcl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/msm_bcl.c b/drivers/power/msm_bcl.c
index d36dfd2..6b7cefd 100644
--- a/drivers/power/msm_bcl.c
+++ b/drivers/power/msm_bcl.c
@@ -301,7 +301,7 @@ static int bcl_add_sysfs_nodes(enum bcl_param param_type)
return ret;
}
bcl[param_type]->bcl_attr_gp.attrs = kzalloc(sizeof(struct attribute *)
- * BCL_PARAM_MAX_ATTR + 1, GFP_KERNEL);
+ * (BCL_PARAM_MAX_ATTR + 1), GFP_KERNEL);
if (!bcl[param_type]->bcl_attr_gp.attrs) {
pr_err("Sysfs attribute create failed.\n");
ret = -ENOMEM;
--
cgit v1.1