From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Armin Wolf <W_Armin@gmx.de>,
Guenter Roeck <linux@roeck-us.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access
Date: Tue, 13 Sep 2022 16:07:39 +0200 [thread overview]
Message-ID: <20220913140342.697010061@linuxfoundation.org> (raw)
In-Reply-To: <20220913140342.228397194@linuxfoundation.org>
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit f233d2be38dbbb22299192292983037f01ab363c ]
The driver does not check if the cooling state passed to
gpio_fan_set_cur_state() exceeds the maximum cooling state as
stored in fan_data->num_speeds. Since the cooling state is later
used as an array index in set_fan_speed(), an array out of bounds
access can occur.
This can be exploited by setting the state of the thermal cooling device
to arbitrary values, causing for example a kernel oops when unavailable
memory is accessed this way.
Example kernel oops:
[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064
[ 807.987369] Mem abort info:
[ 807.987398] ESR = 0x96000005
[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits
[ 807.987477] SET = 0, FnV = 0
[ 807.987507] EA = 0, S1PTW = 0
[ 807.987536] FSC = 0x05: level 1 translation fault
[ 807.987570] Data abort info:
[ 807.987763] ISV = 0, ISS = 0x00000005
[ 807.987801] CM = 0, WnR = 0
[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000
[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575
[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[ 807.988691] sp : ffffffc008cf3bd0
[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000
[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920
[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c
[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000
[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70
[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c
[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009
[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8
[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060
[ 807.989084] Call trace:
[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[ 807.989199] cur_state_store+0x84/0xd0
[ 807.989221] dev_attr_store+0x20/0x38
[ 807.989262] sysfs_kf_write+0x4c/0x60
[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0
[ 807.989298] new_sync_write+0x10c/0x190
[ 807.989315] vfs_write+0x254/0x378
[ 807.989362] ksys_write+0x70/0xf8
[ 807.989379] __arm64_sys_write+0x24/0x30
[ 807.989424] invoke_syscall+0x4c/0x110
[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120
[ 807.989458] do_el0_svc+0x2c/0x90
[ 807.989473] el0_svc+0x24/0x60
[ 807.989544] el0t_64_sync_handler+0x90/0xb8
[ 807.989558] el0t_64_sync+0x1a0/0x1a4
[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)
[ 807.989627] ---[ end trace 8ded4c918658445b ]---
Fix this by checking the cooling state and return an error if it
exceeds the maximum cooling state.
Tested on a Raspberry Pi 3.
Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/gpio-fan.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c
index 685568b1236d4..f78e677b858e8 100644
--- a/drivers/hwmon/gpio-fan.c
+++ b/drivers/hwmon/gpio-fan.c
@@ -422,6 +422,9 @@ static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev,
if (!fan_data)
return -EINVAL;
+ if (state >= fan_data->num_speed)
+ return -EINVAL;
+
set_fan_speed(fan_data, state);
return 0;
}
--
2.35.1
next prev parent reply other threads:[~2022-09-13 15:30 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-11-23 6:34 ` Ulrich Hecht
2022-11-30 16:41 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 06/42] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:07 ` Greg Kroah-Hartman [this message]
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14 9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
2022-09-14 12:40 ` Naresh Kamboju
2022-09-14 17:46 ` Florian Fainelli
2022-09-15 0:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220913140342.697010061@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=W_Armin@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox