diff options
author | Min Liu <minliu@codeaurora.org> | 2018-03-14 14:51:12 +0800 |
---|---|---|
committer | Eric Olsen <eolsen@google.com> | 2018-07-11 12:41:07 -0700 |
commit | 0d50060604d16ddbb01484bfdf4c9885bd220550 (patch) | |
tree | 5692090b5bbac088d6c0a2835faafc8eb0a10dac | |
parent | 4f83106d0e914c27620f5f9c86f69fe8805c9e78 (diff) | |
download | qcom-msm8x09-v3.10-0d50060604d16ddbb01484bfdf4c9885bd220550.tar.gz |
qcacld-2.0: Fix integer underflow and buffer over-read in fwlog
propagation from qcacld-3.0 to qcacld-2.0
Currently, there is no check of:
1) Firmware event parameters in dbglog_parse_debug_logs(), which can
result in integer underflow.
2) Number of dbg log args against the total length, which can result in
buffer over-read.
To fix this, compare size of firmware event parameters and number of
dbg log args with total buffer length.
Bug: 72679324
Change-Id: I3f6ce2dddda9e583e8abe388a422591f59c0751d
CRs-Fixed: 2205372
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c b/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c index 7a7be6ddade..8e4201a54cc 100644 --- a/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c +++ b/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -1892,7 +1892,7 @@ dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length) char parseArgsString[DBGLOG_PARSE_ARGS_STRING_LENGTH]; char *dbgidString; - while (count < length) { + while (count + 1 < length) { debugid = DBGLOG_GET_DBGID(buffer[count + 1]); moduleid = DBGLOG_GET_MODULEID(buffer[count + 1]); @@ -1904,12 +1904,16 @@ dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length) OS_MEMZERO(parseArgsString, sizeof(parseArgsString)); totalWriteLen = 0; + if (!numargs || (count + numargs + 2 > length)) + goto skip_args_processing; + for (curArgs = 0; curArgs < numargs; curArgs++){ // Using sprintf_s instead of sprintf, to avoid length overflow writeLen = snprintf(parseArgsString + totalWriteLen, DBGLOG_PARSE_ARGS_STRING_LENGTH - totalWriteLen, "%x ", buffer[count + 2 + curArgs]); totalWriteLen += writeLen; } +skip_args_processing: if (debugid < MAX_DBG_MSGS){ dbgidString = DBG_MSG_ARR[moduleid][debugid]; if (dbgidString != NULL) { @@ -2398,6 +2402,11 @@ dbglog_parse_debug_logs(ol_scn_t scn, u_int8_t *data, u_int32_t datalen) len = param_buf->num_bufp; } + if (len < sizeof(dropped)) { + AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("Invalid length\n")); + return -1; + } + dropped = *((A_UINT32 *)datap); if (dropped > 0) { AR_DEBUG_PRINTF(ATH_DEBUG_TRC , ("%d log buffers are dropped \n", dropped)); |