From 7f4cb6b3b70b42898d34b0f39a3efd52e9bac95f Mon Sep 17 00:00:00 2001 From: Zongdong Jiao Date: Fri, 31 Aug 2018 16:34:48 +0800 Subject: [PATCH] hdmitx: fix KASAN Bug in store_valid_mode [1/1] PD#172926: hdmitx: fix KASAN Bug in store_valid_mode ================================================================== BUG: KASAN: slab-out-of-bounds in store_valid_mode+0x48/0x70 Read of size 32 at addr ffffffc04a64ef80 by task systemcontrol/2924 CPU: 1 PID: 2924 Comm: systemcontrol Tainted: G O 4.9.113 #7 Hardware name: Amlogic (DT) Call trace: [] dump_backtrace+0x0/0x368 [] show_stack+0x24/0x30 [] dump_stack+0xa0/0xc8 [] print_address_description+0x68/0x258 [] kasan_report+0x264/0x338 [] check_memory_region+0x12c/0x1c0 [] __asan_loadN+0x14/0x20 [] store_valid_mode+0x48/0x70 [] dev_attr_store+0x4c/0x68 [] sysfs_kf_write+0x98/0xb8 [] kernfs_fop_write+0x12c/0x270 [] __vfs_write+0xd8/0x268 [] vfs_write+0xd8/0x240 [] SyS_write+0xc4/0x148 [] el0_svc_naked+0x34/0x38 Allocated by task 2924: save_stack_trace_tsk+0x0/0x268 save_stack_trace+0x24/0x30 kasan_kmalloc+0xd8/0x188 __kmalloc+0x14c/0x2e8 kernfs_fop_write+0x1d0/0x270 __vfs_write+0xd8/0x268 vfs_write+0xd8/0x240 SyS_write+0xc4/0x148 el0_svc_naked+0x34/0x38 Freed by task 2746: save_stack_trace_tsk+0x0/0x268 save_stack_trace+0x24/0x30 kasan_slab_free+0x88/0x188 kfree+0x80/0x280 selinux_cred_free+0x34/0x50 security_cred_free+0x48/0x70 put_cred_rcu+0x38/0x110 rcu_process_callbacks+0x3b4/0x950 __do_softirq+0x210/0x5ec The buggy address belongs to the object at ffffffc04a64ef80 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffffffc04a64ef80, ffffffc04a64efc0) The buggy address belongs to the page: page:ffffffbf01299380 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x7ab1600000080(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc04a64ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffffffc04a64ef00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffffffc04a64ef80: 00 00 02 fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc04a64f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc04a64f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Change-Id: I553bd648453385788899fadf0da9f17817891db2 Signed-off-by: Zongdong Jiao --- drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c index c1d4cc1..f6e2c70 100644 --- a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c +++ b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c @@ -2231,7 +2231,7 @@ static ssize_t store_valid_mode(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { memset(cvalid_mode, 0, sizeof(cvalid_mode)); - memcpy(cvalid_mode, buf, sizeof(cvalid_mode)); + strncpy(cvalid_mode, buf, sizeof(cvalid_mode)); cvalid_mode[31] = '\0'; return count; } -- 2.7.4