lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 11 Jan 2019 11:58:39 +0100
From:   Uwe Kleine-König 
        <u.kleine-koenig@...gutronix.de>
To:     Marc Kleine-Budde <mkl@...gutronix.de>
Cc:     netdev@...r.kernel.org, linux-stable <stable@...r.kernel.org>,
        linux-can@...r.kernel.org, kernel@...gutronix.de,
        davem@...emloft.net,
        Alexander Stein <alexander.stein@...tec-electronic.com>
Subject: [PATCH v4.19.x] can: flexcan: fix out-of-bounds array access

The loop body uses regs->mb[i], so i should not ensured to be smaller
than ARRAY_SIZE(regs->mb).

This change fixes a backtrace during boot on an i.MX25 based machine:

[   10.093464] Unhandled fault: external abort on non-linefetch (0x808) at 0xc89f4480
[   10.101096] pgd = (ptrval)
[   10.103830] [c89f4480] *pgd=87885811, *pte=43f88653, *ppte=43f88552
[   10.110174] Internal error: : 808 [#1] PREEMPT ARM
[   10.114988] Modules linked in:
[   10.118096] CPU: 0 PID: 680 Comm: ip Not tainted 4.19.13-20180926-1-00011-ga0dd04ff511f-dirty #7
[   10.126904] Hardware name: Freescale i.MX25 (Device Tree Support)
[   10.133066] PC is at flexcan_write_le+0x0/0x8
[   10.137469] LR is at flexcan_chip_start+0x450/0x474
[   10.142373] pc : [<c0436f18>]    lr : [<c0437680>]    psr: 20000013
[   10.148658] sp : c6e0f900  ip : 00000000  fp : c708b000
[   10.153903] r10: c0789a38  r9 : c89f4004  r8 : c89f4490
[   10.159150] r7 : 00000000  r6 : c708b3e0  r5 : c89f4000  r4 : c89f4490
[   10.165697] r3 : c0436f10  r2 : c0436f18  r1 : c89f4480  r0 : 00000000
[   10.172249] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[   10.179407] Control: 0005317f  Table: 86e40000  DAC: 00000051
[   10.185173] Process ip (pid: 680, stack limit = 0x(ptrval))
[   10.190768] Stack: (0xc6e0f900 to 0xc6e10000)
[   10.195168] f900: 00000080 c708b000 00000000 c70c0780 00000001 00040080 c06a4760 c6d15e10
[   10.203388] f920: 00000000 c0438534 c708b000 c708b000 c708b000 c084d028 c06a4760 c0504924
[   10.211603] f940: 00000000 0000003c ffffe000 c708b000 00000000 cf29b3e2 c708b000 c084d028
[   10.219824] f960: 00040081 c0504d0c 000000be 00000000 c06a485c c6e0f9fc c708b000 cf29b3e2
[   10.228040] f980: c084d028 c708b000 00000000 c708b138 00040080 c6e0fca0 c06a4760 c0504d94
[   10.236258] f9a0: c708b000 c6e0fbd0 c084d028 c72346c0 c6e0fca0 c051b1cc 000000a1 0000000b
[   10.244479] f9c0: 00000002 c6e0fd6c c793b3b8 c708b000 c6e0fb0c c6e0fb0c c084d028 c6e0f9fc
[   10.252698] f9e0: c06a485c c708b3fc c708b000 c04364a4 00000000 c6d15e40 00000001 0000c350
[   10.260915] fa00: 00000359 00000594 00000005 cf29b3e2 00000002 c708b000 00000000 00000000
[   10.269132] fa20: c6d15e00 c6e0fb0c c084d7f8 c6e0fd6c 00000000 c051c0cc c6e0fbd0 c6e0fca0
[   10.277348] fa40: 00000003 c032efa8 c08b1940 00000000 c72346c0 c6d15e10 0000007c c055c32c
[   10.285566] fa60: 00000000 c6d15e2c c6d15e34 00000000 00000000 00000000 0000fe88 c0856980
[   10.293779] fa80: c6c8e920 0000007c 000005a8 00000000 0000007c 00000000 00000000 00000000
[   10.301996] faa0: 00000000 0000fe88 00000000 c0042e14 00000000 00000000 00000000 00000000
[   10.310213] fac0: c084d028 c00494b8 c7aa2150 c00341f8 f9b002f7 c004951c c7aa2150 cf29b3e2
[   10.318429] fae0: c6d7497c c781bd00 c08c0554 00000000 00000000 c08c8968 c7a2b860 c00341f8
[   10.326648] fb00: c084d028 c08569b0 c7aa2150 00000000 c6d15e40 00000000 00000000 00000000
[   10.334861] fb20: 00000000 c6d15e38 00000000 00000000 00000000 00000000 00000000 00000000
[   10.343078] fb40: 00000000 00000000 00000000 c6c7e200 c6e0fb84 c025a9bc 00000000 00000000
[   10.351294] fb60: c6d74958 c025a9bc 00000000 c0335c90 c72f7e00 c00341f8 c6d74a78 c6d74ac0
[   10.359513] fb80: c71af3e0 cf29b3e2 c6d164fc c781bd00 c08c0554 00000000 00000000 c08c8968
[   10.367731] fba0: c7a2b860 c00341f8 c6e0fcd0 00000000 c6e0fcd0 c067849c c6cd6bc0 20000013
[   10.375949] fbc0: ffffffe1 c6e0fc2c c084d028 c6d16640 00000000 00000000 00000000 00000000
[   10.384164] fbe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.392378] fc00: 00000000 c6d15e20 00000000 00000000 00000000 00000000 c6d15e28 00000000
[   10.400595] fc20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.408808] fc40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.417024] fc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.425237] fc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.433454] fca0: c7711300 c08569b0 c7aa2150 00000009 006e6163 00000000 00000000 00000000
[   10.441668] fcc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   10.449885] fce0: 00000000 00000000 00000000 cf29b3e2 c08c8010 c78f4440 00000000 c6d15e00
[   10.458101] fd00: c084d028 c6e0fd6c c72346c0 c091bbc4 00000000 c0517800 c6e0fd64 00000000
[   10.466318] fd20: 006200ca ffffe000 c77114b4 c6e0fdb4 c6e0fdb4 c065d938 0000000f cf29b3e2
[   10.474537] fd40: 00000000 c72346c0 c05176e0 c084d028 c6d15e00 00000064 00000000 c084d028
[   10.482750] fd60: 00000000 c053c710 00000000 00000000 00000000 00000000 00000000 00000000
[   10.490966] fd80: 00000000 00000000 00000000 cf29b3e2 c790cc00 c6d82c00 00000064 c72346c0
[   10.499184] fda0: c6e0fda8 c053bed0 7fffffff cf29b3e2 c6e0ff5c c084d028 c6d82c00 c72346c0
[   10.507402] fdc0: 006000c0 00000064 00000000 c053c348 0000000c c6e0ff64 c084d028 00000000
[   10.515616] fde0: c6e0fe38 00000008 c6cd6b40 00000000 000002a8 00000000 00000000 cf29b3e2
[   10.523832] fe00: be84d778 c6e0ff5c 00000000 c084d028 00000000 c76ec060 00000000 c6e0fefc
[   10.532052] fe20: 00000000 c04e14d4 c6e0ff5c c04e1a40 c6e0fe54 00041000 00000000 be84d798
[   10.540266] fe40: 00000064 c012d73c 00000000 004c4b40 00000000 c6e2a560 00000070 006200ca
[   10.548482] fe60: 00000031 00041000 c6e40000 c6e40000 00000000 00000000 00000000 00000010
[   10.556697] fe80: 00000000 00000000 00000000 cf29b3e2 c6e0ffb0 c6e0ffb0 c7aa2120 c6d55ba0
[   10.564915] fea0: 80000005 00041350 00000070 c00117f0 c6e0e000 00000000 be84cf44 c015733c
[   10.573133] fec0: c789a030 00000000 00000000 00000000 00000000 c01306f0 00000000 c08517b8
[   10.581350] fee0: 00000005 c084d028 c0011a74 00041350 c6e0ffb0 00066328 be84df30 c0011c64
[   10.589568] ff00: 0042a000 c6e2a630 c6e2a620 c0166f58 c6d55ba0 00000000 00000021 cf29b3e2
[   10.597786] ff20: c6e2a630 c084d028 be84d72c 00000000 c76ec060 c00091e4 c6e0e000 00000000
[   10.606004] ff40: 0008c000 c04e2a20 00000000 00000000 be84cf44 00000000 fffffff7 c6e0fe7c
[   10.614221] ff60: 0000000c 00000001 00000000 00000000 c6e0fe44 00000000 c00091e4 00000000
[   10.622437] ff80: 00000000 00000000 00000000 cf29b3e2 c00091e4 00000000 be84de48 00041350
[   10.630657] ffa0: 00000128 c0009000 00000000 be84de48 00000003 be84d72c 00000000 00000000
[   10.638873] ffc0: 00000000 be84de48 00041350 00000128 5c3875b0 00000000 00066328 0008c000
[   10.647091] ffe0: b6ee0000 be84d6d8 00062aa0 b6e70918 60000010 00000003 00000000 00000000
[   10.655357] [<c0436f18>] (flexcan_write_le) from [<c0437680>] (flexcan_chip_start+0x450/0x474)
[   10.664035] [<c0437680>] (flexcan_chip_start) from [<c0438534>] (flexcan_open+0xf8/0x144)
[   10.672278] [<c0438534>] (flexcan_open) from [<c0504924>] (__dev_open+0xe8/0x174)
[   10.679814] [<c0504924>] (__dev_open) from [<c0504d0c>] (__dev_change_flags+0x160/0x1c8)
[   10.687956] [<c0504d0c>] (__dev_change_flags) from [<c0504d94>] (dev_change_flags+0x20/0x50)
[   10.696452] [<c0504d94>] (dev_change_flags) from [<c051b1cc>] (do_setlink+0x360/0xa88)
[   10.704424] [<c051b1cc>] (do_setlink) from [<c051c0cc>] (rtnl_newlink+0x4a4/0x6f4)
[   10.712046] [<c051c0cc>] (rtnl_newlink) from [<c0517800>] (rtnetlink_rcv_msg+0x120/0x2f4)
[   10.720294] [<c0517800>] (rtnetlink_rcv_msg) from [<c053c710>] (netlink_rcv_skb+0xbc/0x118)
[   10.728707] [<c053c710>] (netlink_rcv_skb) from [<c053bed0>] (netlink_unicast+0x184/0x1fc)
[   10.737028] [<c053bed0>] (netlink_unicast) from [<c053c348>] (netlink_sendmsg+0x338/0x38c)
[   10.745363] [<c053c348>] (netlink_sendmsg) from [<c04e14d4>] (sock_sendmsg+0x1c/0x2c)
[   10.753254] [<c04e14d4>] (sock_sendmsg) from [<c04e1a40>] (___sys_sendmsg+0x210/0x22c)
[   10.761226] [<c04e1a40>] (___sys_sendmsg) from [<c04e2a20>] (__sys_sendmsg+0x54/0x94)
[   10.769103] [<c04e2a20>] (__sys_sendmsg) from [<c0009000>] (ret_fast_syscall+0x0/0x50)
[   10.777047] Exception stack(0xc6e0ffa8 to 0xc6e0fff0)
[   10.782132] ffa0:                   00000000 be84de48 00000003 be84d72c 00000000 00000000
[   10.790348] ffc0: 00000000 be84de48 00041350 00000128 5c3875b0 00000000 00066328 0008c000
[   10.798551] ffe0: b6ee0000 be84d6d8 00062aa0 b6e70918
[   10.803643] Code: e5813000 e12fff1e e5900000 e12fff1e (e5810000)
[   10.809769] ---[ end trace 1a4586e3b7840d04 ]---

Fixes: 24e5589791d0 ("can: flexcan: Always use last mailbox for TX")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
---
 drivers/net/can/flexcan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 75ce11395ee8..ae219b8a7754 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -1004,7 +1004,7 @@ static int flexcan_chip_start(struct net_device *dev)
 		}
 	} else {
 		/* clear and invalidate unused mailboxes first */
-		for (i = FLEXCAN_TX_MB_RESERVED_OFF_FIFO; i <= ARRAY_SIZE(regs->mb); i++) {
+		for (i = FLEXCAN_TX_MB_RESERVED_OFF_FIFO; i < ARRAY_SIZE(regs->mb); i++) {
 			priv->write(FLEXCAN_MB_CODE_RX_INACTIVE,
 				    &regs->mb[i].can_ctrl);
 		}
-- 
2.20.1

Powered by blists - more mailing lists