Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Stefan Wiehler 37b99a41ad of/irq: Prevent device address out-of-bounds read in interrupt map walk 
[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ]

When of_irq_parse_raw() is invoked with a device address smaller than
the interrupt parent node (from #address-cells property), KASAN detects
the following out-of-bounds read when populating the initial match table
(dyndbg="func of_irq_parse_* +p"):

  OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
  OF:  parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
  OF:  intspec=4
  OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
  OF:  -> addrsize=3
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
  Read of size 4 at addr ffffff81beca5608 by task bash/764

  CPU: 1 PID: 764 Comm: bash Tainted: G           O       6.1.67-484c613561-nokia_sm_arm64 #1
  Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
  Call trace:
   dump_backtrace+0xdc/0x130
   show_stack+0x1c/0x30
   dump_stack_lvl+0x6c/0x84
   print_report+0x150/0x448
   kasan_report+0x98/0x140
   __asan_load4+0x78/0xa0
   of_irq_parse_raw+0x2b8/0x8d0
   of_irq_parse_one+0x24c/0x270
   parse_interrupts+0xc0/0x120
   of_fwnode_add_links+0x100/0x2d0
   fw_devlink_parse_fwtree+0x64/0xc0
   device_add+0xb38/0xc30
   of_device_add+0x64/0x90
   of_platform_device_create_pdata+0xd0/0x170
   of_platform_bus_create+0x244/0x600
   of_platform_notify+0x1b0/0x254
   blocking_notifier_call_chain+0x9c/0xd0
   __of_changeset_entry_notify+0x1b8/0x230
   __of_changeset_apply_notify+0x54/0xe4
   of_overlay_fdt_apply+0xc04/0xd94
   ...

  The buggy address belongs to the object at ffffff81beca5600
   which belongs to the cache kmalloc-128 of size 128
  The buggy address is located 8 bytes inside of
   128-byte region [ffffff81beca5600, ffffff81beca5680)

  The buggy address belongs to the physical page:
  page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
  head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
  flags: 0x8000000000010200(slab|head|zone=2)
  raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
  raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
  page dumped because: kasan: bad access detected

  Memory state around the buggy address:
   ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                        ^
   ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
  ==================================================================
  OF:  -> got it !

Prevent the out-of-bounds read by copying the device address into a
buffer of sufficient size.

Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-19 00:09:59 +01:00
..
accessibility
acpi ACPI: processor: Fix memory leaks in error paths of processor_add() 2025-01-19 00:09:58 +01:00
amba
android binder: fix UAF caused by offsets overwrite 2025-01-19 00:09:59 +01:00
ata ata: pata_macio: Use WARN instead of BUG 2025-01-19 00:09:59 +01:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-11-23 23:20:43 +01:00
auxdisplay
base regmap: Use correct format specifier for logging range errors 2025-01-15 16:29:50 +01:00
battery Revert "battery: nuke sm5451_charger driver from a53x" 2025-01-18 22:11:40 +01:00
bcma
block virtio-blk: don't keep queue frozen during system suspend 2025-01-15 16:29:50 +01:00
bluetooth Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables 2024-12-17 13:24:31 +01:00
bts
bus Revert "bus: integrator-lm: fix OF node leak in probe()" 2024-11-24 00:23:16 +01:00
cdrom
char Revert "tpm: Clean up TPM space after command failure" 2024-11-24 00:23:24 +01:00
clk Revert "clkdev: remove CONFIG_CLKDEV_LOOKUP" 2025-01-02 17:01:18 +01:00
clocksource clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX 2025-01-19 00:09:59 +01:00
connector
counter
cpufreq exynos: acme: dumb down code to take in any freq table 2025-01-15 16:39:44 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() 2024-12-17 13:24:00 +01:00
dax
dca
devfreq
dio
dma dmaengine: dw: Select only supported masters for ACPI devices 2025-01-15 16:29:54 +01:00
dma-buf UPSTREAM: dma-buf: heaps: Fix off-by-one in CMA heap fault handler 2025-01-19 00:09:58 +01:00
edac EDAC/fsl_ddr: Fix bad bit shift operations 2024-12-17 13:23:59 +01:00
eisa
extcon
fingerprint
firewire
firmware BACKPORT: firmware: arm_scmi: Queue in scmi layer for mailbox implementation 2025-01-19 00:09:58 +01:00
fpga
fsi
gnss
gpio gpio: grgpio: Add NULL check in grgpio_probe 2024-12-17 13:24:27 +01:00
gpu drm: adv7511: Drop dsi single lane support 2025-01-15 16:29:56 +01:00
greybus
gud
hid HID: wacom: fix when get product name maybe null pointer 2024-12-17 13:24:28 +01:00
hsi
hv Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2025-01-19 00:09:59 +01:00
hwmon hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers 2025-01-15 16:29:45 +01:00
hwspinlock Revert "hwspinlock: Introduce hwspin_lock_bust()" 2024-11-24 00:23:48 +01:00
hwtracing Revert "coresight: tmc: sg: Do not leak sg_table" 2024-11-24 00:23:19 +01:00
i2c i2c: riic: Always round-up when calculating bus period 2025-01-15 16:29:41 +01:00
i3c i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock 2024-12-17 13:24:32 +01:00
ide
idle
ifconn
iio iio: buffer-dmaengine: fix releasing dma channel on error 2025-01-19 00:09:59 +01:00
infiniband RDMA/uverbs: Prevent integer overflow issue 2025-01-15 16:29:56 +01:00
input drivers: sec_input: stm_cmd.c: Expand snprintf sizes 2024-12-17 21:43:20 +01:00
interconnect Revert "interconnect: qcom: sm8250: Enable sync_state" 2024-11-24 00:23:19 +01:00
iommu iommu/arm-smmu: Defer probe of clients after smmu device bound 2024-12-17 13:24:29 +01:00
ipack
irqchip irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base 2025-01-15 16:29:56 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon
kq/mesh
leds leds: class: Protect brightness_show() with led_cdev->led_access mutex 2024-12-17 13:24:32 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox Revert "mailbox: rockchip: fix a typo in module autoloading" 2024-11-24 00:23:13 +01:00
mcb
md bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again 2024-12-17 13:24:28 +01:00
media media: platform: exynos: camera: Fix enum-compare compilation error from clang 19 2025-01-16 23:06:54 +01:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-11-23 23:20:46 +01:00
memstick
message scsi: fusion: Remove unused variable 'rc' 2024-12-17 13:24:09 +01:00
mfd mfd: rt5033: Fix missing regmap_del_irq_chip() 2024-12-17 13:24:08 +01:00
misc VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2025-01-19 00:09:59 +01:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2025-01-19 00:09:58 +01:00
most
mtd mtd: rawnand: fix double free in atmel_pmecc_create_user() 2025-01-15 16:29:50 +01:00
muic
mux
net net: wireless: scsc: Add support for NL80211_WPA_VERSION_3 2025-01-16 23:19:27 +01:00
nfc nfc: pn533: Add poll mod list filling check 2024-11-23 23:20:55 +01:00
ntb Revert "ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()" 2024-11-24 00:23:20 +01:00
nubus
nvdimm nvdimm: rectify the illogical code within nd_dax_probe() 2024-12-17 13:24:32 +01:00
nvme nvmet-tcp: fix kernel crash if commands allocation fails 2025-01-19 00:09:58 +01:00
nvmem nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc 2025-01-19 00:09:59 +01:00
of of/irq: Prevent device address out-of-bounds read in interrupt map walk 2025-01-19 00:09:59 +01:00
opp
oprofile
parisc
parport Revert "parport: Proper fix for array out-of-bounds access" 2024-11-24 00:22:51 +01:00
pci PCI: Add ACS quirk for Broadcom BCM5760X NIC 2025-01-15 16:29:40 +01:00
pcmcia Revert "pcmcia: Use resource_size function on resource object" 2024-11-24 00:23:42 +01:00
perf
phy phy: core: Fix that API devm_phy_destroy() fails to destroy the phy 2025-01-15 16:29:49 +01:00
pinctrl pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking 2025-01-15 16:29:56 +01:00
platform platform/x86: asus-nb-wmi: Ignore unknown event 0xCF 2025-01-15 16:29:50 +01:00
pnp
power power: supply: gpio-charger: Fix set charge current limits 2025-01-15 16:29:51 +01:00
powercap Revert "powercap: RAPL: fix invalid initialization for pl4_supported field" 2024-11-24 00:23:18 +01:00
pps Revert "pps: remove usage of the deprecated ida_simple_xx() API" 2024-11-24 00:23:14 +01:00
ps3
ptp ptp: Add error handling for adjfine callback in ptp_clock_adjtime 2024-12-17 13:24:25 +01:00
pwm pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle 2024-12-17 13:24:02 +01:00
rapidio
ras
regulator regulator: rk808: Add apply_bit for BUCK3 on RK809 2024-12-17 13:23:58 +01:00
remoteproc remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region 2024-12-17 13:24:13 +01:00
reset Revert "reset: berlin: fix OF node leak in probe() error path" 2024-11-24 00:23:27 +01:00
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2024-12-17 13:24:21 +01:00
rtc rtc: ab-eoz9: don't fail temperature reads on undervoltage notification 2024-12-17 13:24:22 +01:00
s390 Revert "s390/zcore: no need to check return value of debugfs_create functions" 2024-11-24 00:22:59 +01:00
samsung
sbus
scsi scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error 2025-01-15 16:29:50 +01:00
sensorhub
sensors
sfi
sh sh: clk: Fix clk_enable() to return 0 on NULL clk 2025-01-15 16:29:45 +01:00
siox
slimbus
soc fvmap: move undervolting settings to Kconfig 2025-01-15 16:40:04 +01:00
soundwire Revert "soundwire: stream: fix programming slave ports for non-continous port maps" 2024-11-24 00:23:49 +01:00
spi spi: mpc52xx: Add cancel_work_sync before module remove 2024-12-17 13:24:27 +01:00
spmi
spu_verify
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-11-23 23:20:44 +01:00
staging staging: iio: frequency: ad9834: Validate frequency parameter value 2025-01-19 00:09:59 +01:00
sti
target scsi: target: core: Fix null-ptr-deref in target_alloc_device() 2024-11-23 23:21:59 +01:00
tc
tee
thermal
thunderbolt thunderbolt: Add support for Intel Panther Lake-M/P 2025-01-15 16:29:53 +01:00
tty serial: 8250: omap: Move pm_runtime_get_sync 2024-12-17 13:24:19 +01:00
uh
uio uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind 2025-01-19 00:09:59 +01:00
usb USB: serial: option: add MediaTek T7XX compositions 2025-01-15 16:29:41 +01:00
vdpa vdpa/mlx5: Fix suboptimal range on iotlb iteration 2024-12-17 13:24:13 +01:00
vfio vfio/pci: Properly hide first-in-list PCIe extended capability 2024-12-17 13:24:13 +01:00
vhost Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vibrator
video fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() 2024-12-17 13:24:09 +01:00
virt
virtio Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 2025-01-15 16:29:50 +01:00
xen xen: Fix the issue of resource not being properly released in xenbus_dev_probe() 2024-12-17 13:24:17 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Welcome KernelSU Next 2025-01-15 16:32:35 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1