From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Gustavo Padovan <gustavo@padovan.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, channing <chao.bi@intel.com>,
Pavan Savoy <pavan_savoy@ti.com>
Subject: Re: [PATCH] ti-st: fix NULL dereference on protocol type check
Date: Fri, 26 Jul 2013 16:15:59 -0700 [thread overview]
Message-ID: <20130726231559.GA30720@kroah.com> (raw)
In-Reply-To: <20130725181619.GA1753@joana>
On Thu, Jul 25, 2013 at 07:16:28PM +0100, Gustavo Padovan wrote:
> * Andrew Morton <akpm@linux-foundation.org> [2013-07-24 16:12:22 -0700]:
>
> > On Tue, 23 Jul 2013 15:29:31 +0100 Gustavo Padovan <gustavo@padovan.org> wrote:
> >
> > > From: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
> > >
> > > If the type we receive is greater than ST_MAX_CHANNELS we can't rely on
> > > type as vector index since we would be accessing unknown memory when we use the type
> > > as index.
> > >
> > > Unable to handle kernel NULL pointer dereference at virtual address 0000001b
> > > pgd = c0004000
> > > [0000001b] *pgd=00000000
> > > Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> > > Modules linked in: btwilink wl12xx wlcore mac80211 cfg80211 rfcomm bnep bluo
> > > CPU: 0 Tainted: G W (3.4.0+ #15)
> > > PC is at st_int_recv+0x278/0x344
> > > LR is at get_parent_ip+0x14/0x30
> > > pc : [<c03b01a8>] lr : [<c007273c>] psr: 200f0193
> > > sp : dc631ed0 ip : e3e21c24 fp : dc631f04
> > > r10: 00000000 r9 : 600f0113 r8 : 0000003f
> > > r7 : e3e21b14 r6 : 00000067 r5 : e2e49c1c r4 : e3e21a80
> > > r3 : 00000001 r2 : 00000001 r1 : 00000001 r0 : 600f0113
> > > Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> > > Control: 10c5387d Table: 9c50004a DAC: 00000015
> > >
> > > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
> > > ---
> > > drivers/misc/ti-st/st_core.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
> > > index 0a14280..8e64eb1 100644
> > > --- a/drivers/misc/ti-st/st_core.c
> > > +++ b/drivers/misc/ti-st/st_core.c
> > > @@ -343,7 +343,7 @@ void st_int_recv(void *disc_data,
> > > /* Unknow packet? */
> > > default:
> > > type = *ptr;
> > > - if (st_gdata->list[type] == NULL) {
> > > + if (type >= ST_MAX_CHANNELS || st_gdata->list[type] == NULL) {
> > > pr_err("chip/interface misbehavior dropping"
> > > " frame starting with 0x%02x", type);
> > > goto done;
> >
> > This would be a bug in the calling code, would it not?
>
> It is possible and it seems 39f610e40 could be a fix for this. I would need to
> test. I was testing it on old kernel without this patch. In any case my patch
> is still needed.
Why? Shouldn't you just prevent this from ever happening in the first
place?
thanks,
greg k-h
prev parent reply other threads:[~2013-07-26 23:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-23 14:29 [PATCH] ti-st: fix NULL dereference on protocol type check Gustavo Padovan
2013-07-24 23:12 ` Andrew Morton
2013-07-25 18:16 ` Gustavo Padovan
2013-07-26 23:15 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130726231559.GA30720@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=chao.bi@intel.com \
--cc=gustavo@padovan.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavan_savoy@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox