hdmitx: fix KASAN Bug in set_disp_mode_auto [1/1]
authorZongdong Jiao <zongdong.jiao@amlogic.com>
Thu, 13 Sep 2018 02:17:34 +0000 (10:17 +0800)
committerZongdong Jiao <zongdong.jiao@amlogic.com>
Tue, 25 Dec 2018 10:09:31 +0000 (02:09 -0800)
commit300909bdb47e226c87d352817d40de1c4bac426c
tree13918598ff4a0a2bb7378c9b2733f844c472ae5c
parente67d2603a3bd1591aaafeec1feec70cb9fe4f897
hdmitx: fix KASAN Bug in set_disp_mode_auto [1/1]

PD#173549: hdmitx: fix KASAN Bug in set_disp_mode_auto
==================================================================
BUG: KASAN: global-out-of-bounds in set_disp_mode_auto+0x244/0x870
Read of size 32 at addr ffffff900a67e4c0 by task power@1.0-servi/2924

CPU: 2 PID: 2924 Comm: power@1.0-servi Tainted: G    B      O    4.9.113 #1
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba234>] print_address_description+0x144/0x258
[<ffffff90092ba6ac>] kasan_report+0x264/0x338
[<ffffff90092b8ff4>] check_memory_region+0x12c/0x1c0
[<ffffff90092b90dc>] __asan_loadN+0x14/0x20
[<ffffff9009c12804>] set_disp_mode_auto+0x244/0x870
[<ffffff9009c13994>] hdmitx_late_resume+0x1cc/0x288
[<ffffff9009da5f30>] early_suspend_trigger_store+0x1a8/0x1d0
[<ffffff9009640ac4>] kobj_attr_store+0x44/0x60
[<ffffff90093973b0>] sysfs_kf_write+0x98/0xb8
[<ffffff9009396134>] kernfs_fop_write+0x12c/0x270
[<ffffff90092c9888>] __vfs_write+0xd8/0x268
[<ffffff90092cae48>] vfs_write+0xd8/0x240
[<ffffff90092ccd8c>] SyS_write+0xc4/0x148
[<ffffff9009083f00>] el0_svc_naked+0x34/0x38

The buggy address belongs to the variable:
 all_fmt_paras+0x1460/0x14a0

Memory state around the buggy address:
 ffffff900a67e380: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
 ffffff900a67e400: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
>ffffff900a67e480: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
                                              ^
 ffffff900a67e500: 00 07 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
 ffffff900a67e580: 00 04 fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
==================================================================

Change-Id: Ie2435c031c04ac23e801cfefa80a29071c120b4f
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c