From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757005Ab3GYSQf (ORCPT ); Thu, 25 Jul 2013 14:16:35 -0400 Received: from mail-wg0-f49.google.com ([74.125.82.49]:64211 "EHLO mail-wg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756252Ab3GYSQd (ORCPT ); Thu, 25 Jul 2013 14:16:33 -0400 Date: Thu, 25 Jul 2013 19:16:28 +0100 From: Gustavo Padovan To: Andrew Morton Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , channing , Pavan Savoy Subject: Re: [PATCH] ti-st: fix NULL dereference on protocol type check Message-ID: <20130725181619.GA1753@joana> Mail-Followup-To: Gustavo Padovan , Andrew Morton , linux-kernel@vger.kernel.org, Greg Kroah-Hartman , channing , Pavan Savoy References: <1374589774-450-1-git-send-email-gustavo@padovan.org> <20130724161222.f87f698d991594f5c94e455f@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130724161222.f87f698d991594f5c94e455f@linux-foundation.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Andrew Morton [2013-07-24 16:12:22 -0700]: > On Tue, 23 Jul 2013 15:29:31 +0100 Gustavo Padovan wrote: > > > From: Gustavo Padovan > > > > If the type we receive is greater than ST_MAX_CHANNELS we can't rely on > > type as vector index since we would be accessing unknown memory when we use the type > > as index. > > > > Unable to handle kernel NULL pointer dereference at virtual address 0000001b > > pgd = c0004000 > > [0000001b] *pgd=00000000 > > Internal error: Oops: 17 [#1] PREEMPT SMP ARM > > Modules linked in: btwilink wl12xx wlcore mac80211 cfg80211 rfcomm bnep bluo > > CPU: 0 Tainted: G W (3.4.0+ #15) > > PC is at st_int_recv+0x278/0x344 > > LR is at get_parent_ip+0x14/0x30 > > pc : [] lr : [] psr: 200f0193 > > sp : dc631ed0 ip : e3e21c24 fp : dc631f04 > > r10: 00000000 r9 : 600f0113 r8 : 0000003f > > r7 : e3e21b14 r6 : 00000067 r5 : e2e49c1c r4 : e3e21a80 > > r3 : 00000001 r2 : 00000001 r1 : 00000001 r0 : 600f0113 > > Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel > > Control: 10c5387d Table: 9c50004a DAC: 00000015 > > > > Signed-off-by: Gustavo Padovan > > --- > > drivers/misc/ti-st/st_core.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c > > index 0a14280..8e64eb1 100644 > > --- a/drivers/misc/ti-st/st_core.c > > +++ b/drivers/misc/ti-st/st_core.c > > @@ -343,7 +343,7 @@ void st_int_recv(void *disc_data, > > /* Unknow packet? */ > > default: > > type = *ptr; > > - if (st_gdata->list[type] == NULL) { > > + if (type >= ST_MAX_CHANNELS || st_gdata->list[type] == NULL) { > > pr_err("chip/interface misbehavior dropping" > > " frame starting with 0x%02x", type); > > goto done; > > This would be a bug in the calling code, would it not? It is possible and it seems 39f610e40 could be a fix for this. I would need to test. I was testing it on old kernel without this patch. In any case my patch is still needed. Gustavo