leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f873ded213
linux/drivers/net/wireless
History
Mark A. Greer f873ded213 mwifiex: debugfs: Fix out of bounds array access 
When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
the following panic occurs:

$ cat /sys/kernel/debug/mwifiex/p2p0/info
Unable to handle kernel paging request at virtual address 74706164
pgd = de530000
[74706164] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
task: de16b6c0 ti: de048000 task.ti: de048000
PC is at strnlen+0xc/0x4c
LR is at string+0x3c/0xf8
pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
sp : de049e10  ip : c06efba0  fp : de6d2092
r10: bf01a260  r9 : ffffffff  r8 : 74706164
r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9e530019  DAC: 00000015
Process cat (pid: 1635, stack limit = 0xde048240)
Stack: (0xde049e10 to 0xde04a000)
9e00:                                     de6d2092 00000002 bf01a25e de6d209c
9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
[<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
[<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
[<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
[<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
[<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
[<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
[<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
---[ end trace ca98273dc605a04f ]---

The panic is caused by the mwifiex_info_read() routine assuming that
there can only be four modes (0-3) which is an invalid assumption.
For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
code accesses data beyond the bounds of the bss_modes[] array which
causes the panic.  Fix this by updating bss_modes[] to support the
current list of modes and adding a check to prevent the out-of-bounds
access from occuring in the future when more modes are added.

Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-12 10:20:55 -04:00
..
ath ath9k: use correct OTP register offsets for AR9550 2013-05-28 13:43:10 -04:00
b43 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-05-10 10:29:24 -04:00
b43legacy Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2013-04-24 10:54:20 -04:00
brcm80211 brcmfmac: Disable powersave mode for P2P link. 2013-05-28 13:43:10 -04:00
hostap wireless: single_open() leaks 2013-05-05 00:13:20 -04:00
ipw2x00 ipw2x00: move to kstrto* functions 2013-04-10 14:10:34 -04:00
iwlegacy iwlegacy: remove inline marking of EXPORT_SYMBOL functions 2013-05-17 14:31:05 -04:00
iwlwifi iwlwifi: dvm: fix zero LQ CMD sending avoidance 2013-05-27 11:33:57 +02:00
libertas drivers/net: use module_pcmcia_driver() in pcmcia drivers 2013-03-15 12:27:33 -07:00
libertas_tf mac80211: Use a cfg80211_chan_def in ieee80211_hw_conf_chan 2013-03-25 19:19:35 +01:00
mwifiex mwifiex: debugfs: Fix out of bounds array access 2013-06-12 10:20:55 -04:00
orinoco Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-05-01 14:08:52 -07:00
p54 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2013-04-24 10:54:20 -04:00
prism54 wireless: Remove unnecessary alloc/OOM messages, alloc cleanups 2013-02-04 13:22:34 -05:00
rt2x00 rt2x00: Use more current logging styles, shrink object size 2013-04-22 15:20:26 -04:00
rtl818x mac80211: Use a cfg80211_chan_def in ieee80211_hw_conf_chan 2013-03-25 19:19:35 +01:00
rtlwifi rtlwifi: rtl8192cu: Add new USB ID 2013-05-17 14:31:07 -04:00
ti Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2013-04-24 10:54:20 -04:00
zd1211rw mac80211: Use a cfg80211_chan_def in ieee80211_hw_conf_chan 2013-03-25 19:19:35 +01:00
adm8211.c mac80211: Use a cfg80211_chan_def in ieee80211_hw_conf_chan 2013-03-25 19:19:35 +01:00
adm8211.h
airo_cs.c drivers/net: use module_pcmcia_driver() in pcmcia drivers 2013-03-15 12:27:33 -07:00
airo.c airo: Use remove_proc_subtree() 2013-05-01 17:29:42 -04:00
airo.h
at76c50x-usb.c mac80211: Use a cfg80211_chan_def in ieee80211_hw_conf_chan 2013-03-25 19:19:35 +01:00
at76c50x-usb.h
atmel_cs.c drivers/net: use module_pcmcia_driver() in pcmcia drivers 2013-03-15 12:27:33 -07:00
atmel_pci.c atmel: remove __dev* attributes 2012-12-06 15:04:56 -05:00
atmel.c atmel: printing bogus information 2013-05-22 14:51:11 -04:00
atmel.h
Kconfig drivers/net/wireless: remove depends on CONFIG_EXPERIMENTAL 2013-01-22 12:01:35 -08:00
mac80211_hwsim.c mac80211_hwsim: correctly register the platform driver 2013-05-16 22:38:02 +02:00
mac80211_hwsim.h
Makefile wireless: fix Atheros drivers compilation 2012-12-17 15:48:43 -05:00
mwl8k.c mwl8k: remove nonstandard rate 72 Mbps 2013-04-22 15:06:44 -04:00
ray_cs.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ray_cs.h
rayctl.h
rndis_wlan.c rndis_wlan: update email address 2013-03-08 15:58:54 -05:00
wl3501_cs.c drivers/net: use module_pcmcia_driver() in pcmcia drivers 2013-03-15 12:27:33 -07:00
wl3501.h
zd1201.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
zd1201.h