projects / platform / kernel / swap-modules.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec756cf)
Fix issues found by static analysis tool 37/155537/2
authorDmitry Kovalenko <d.kovalenko@samsung.com>
Fri, 13 Oct 2017 09:36:58 +0000 (12:36 +0300)
committerDmitry Kovalenko <d.kovalenko@samsung.com>
Fri, 13 Oct 2017 11:42:10 +0000 (14:42 +0300)
decode_thumb.c: Out-of-bounds access
probes_arm.c: Out-of-bounds access
swap_kprobes.c: Resource leak

Change-Id: I54c92029f5adb83b8d4f8f29cc4e683d6545ab6c
Signed-off-by: Dmitry Kovalenko <d.kovalenko@samsung.com>
arch/arm/probes/decode_thumb.c patch | blob | history
arch/arm/probes/probes_arm.c patch | blob | history
kprobe/swap_kprobes.c patch | blob | history

diff --git a/arch/arm/probes/decode_thumb.c b/arch/arm/probes/decode_thumb.c
index 71f5da5c5cc1688e82c91856d6ba62ffac311fbc..a35f262c0714a456490bc8f38fa41f810584e022 100644 (file)
--- a/arch/arm/probes/decode_thumb.c
+++ b/arch/arm/probes/decode_thumb.c
@@ -68,7 +68,7 @@ static void make_def(void *tramp, u32 insn, u32 vaddr, bool t2)
 
 static void tt_make_common(void *tramp, u32 insn, u32 vaddr, bool t2)
 {
-       memcpy(tramp, gen_insn_execbuf_thumb, 4 * PROBES_TRAMP_LEN);
+       memcpy(tramp, gen_insn_execbuf_thumb, sizeof(gen_insn_execbuf_thumb));
        make_def(tramp, insn, vaddr, t2);
 }
 
@@ -77,7 +77,8 @@ static void tt_make_pc_deps(void *tramp, u32 mod_insn, u32 vaddr, bool t2)
        u32 pc_val = vaddr + 4;
        u16 *tr = tramp;
 
-       memcpy(tramp, pc_dep_insn_execbuf_thumb, 4 * PROBES_TRAMP_LEN);
+       memcpy(tramp, pc_dep_insn_execbuf_thumb,
+              sizeof(pc_dep_insn_execbuf_thumb));
        make_def(tramp, mod_insn, vaddr, t2);
 
        /* save PC value */
diff --git a/arch/arm/probes/probes_arm.c b/arch/arm/probes/probes_arm.c
index 9e27870be4f927a1e796b26a2d1d96008c7e74db..114eeb46090e4da6c0ad9e1136c4c940594d8b38 100644 (file)
--- a/arch/arm/probes/probes_arm.c
+++ b/arch/arm/probes/probes_arm.c
@@ -140,7 +140,7 @@ static int make_branch_tarmpoline(u32 addr, u32 insn, u32 *tramp)
        if (ARM_INSN_MATCH(B, insn) &&
            !ARM_INSN_MATCH(BLX1, insn)) {
                /* B check can be false positive on BLX1 instruction */
-               memcpy(tramp, b_cond_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, b_cond_insn_execbuf, sizeof(b_cond_insn_execbuf));
                tramp[PROBES_TRAMP_RET_BREAK_IDX] = RET_BREAK_ARM;
                tramp[0] |= insn & 0xf0000000;
                tramp[6] = get_addr_b(insn, addr);
@@ -149,14 +149,14 @@ static int make_branch_tarmpoline(u32 addr, u32 insn, u32 *tramp)
        /* BX, BLX (Rm) */
        } else if (ARM_INSN_MATCH(BX, insn) ||
                   ARM_INSN_MATCH(BLX2, insn)) {
-               memcpy(tramp, b_r_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, b_r_insn_execbuf, sizeof(b_r_insn_execbuf));
                tramp[0] = insn;
                tramp[PROBES_TRAMP_RET_BREAK_IDX] = RET_BREAK_ARM;
                tramp[7] = addr + 4;
                ok = 1;
        /* BL, BLX (Off) */
        } else if (ARM_INSN_MATCH(BLX1, insn)) {
-               memcpy(tramp, blx_off_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, blx_off_insn_execbuf, sizeof(blx_off_insn_execbuf));
                tramp[0] |= 0xe0000000;
                tramp[1] |= 0xe0000000;
                tramp[PROBES_TRAMP_RET_BREAK_IDX] = RET_BREAK_ARM;
@@ -166,7 +166,7 @@ static int make_branch_tarmpoline(u32 addr, u32 insn, u32 *tramp)
                ok = 1;
        /* BL */
        } else if (ARM_INSN_MATCH(BL, insn)) {
-               memcpy(tramp, blx_off_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, blx_off_insn_execbuf, sizeof(blx_off_insn_execbuf));
                tramp[0] |= insn & 0xf0000000;
                tramp[1] |= insn & 0xf0000000;
                tramp[PROBES_TRAMP_RET_BREAK_IDX] = RET_BREAK_ARM;
@@ -251,7 +251,7 @@ int make_trampoline_arm(u32 addr, u32 insn, u32 *tramp)
        }
 
        if (unlikely(uregs && pc_dep)) {
-               memcpy(tramp, pc_dep_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, pc_dep_insn_execbuf, sizeof(pc_dep_insn_execbuf));
                if (prep_pc_dep_insn_execbuf(tramp, insn, uregs) != 0) {
                        pr_err("Error in %s at %d: failed "
                               "to prepare exec buffer for insn %x!",
@@ -261,7 +261,7 @@ int make_trampoline_arm(u32 addr, u32 insn, u32 *tramp)
 
                tramp[6] = addr + 8;
        } else {
-               memcpy(tramp, gen_insn_execbuf, PROBES_TRAMP_LEN);
+               memcpy(tramp, gen_insn_execbuf, sizeof(gen_insn_execbuf));
                tramp[PROBES_TRAMP_INSN_IDX] = insn;
        }
 
diff --git a/kprobe/swap_kprobes.c b/kprobe/swap_kprobes.c
index 5fe94741dbcfd21b31a2f786d211f9407758c9b0..3981ffef57f9a1e50ad45547cd23fbabac244342 100644 (file)
--- a/kprobe/swap_kprobes.c
+++ b/kprobe/swap_kprobes.c
@@ -543,8 +543,10 @@ int swap_register_kprobe(struct kprobe *p)
                }
 
                ret = arch_kp_core_prepare(core, &sm);
-               if (ret)
+               if (ret) {
+                       kp_core_free(core);
                        goto unlock;
+               }
 
                ret = kp_core_add_kprobe(core, p);
                if (ret) {
Domain: SDK / Dynamic Analysis;