| Message ID | 20230508214443.893436-1-badhri@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2468353vqo;
Mon, 8 May 2023 15:25:30 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ6DwmGzW31mdlSvERuEu34PPPA7A8w9rEhWibp0cnNceq2djig3Xvv2ucKvejpJx+c0LMfk
X-Received: by 2002:a05:6a20:3d93:b0:ef:acca:9e19 with SMTP id
s19-20020a056a203d9300b000efacca9e19mr16544842pzi.14.1683584730090;
Mon, 08 May 2023 15:25:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683584730; cv=none;
d=google.com; s=arc-20160816;
b=fp3qNOM1IFdXeiBvSGjJ0wcdBigRyi96LqXD79ftCx1QdaQGgIW5OcSVArb663yJIe
SjGcULMaWaxpKhN6nJM+l/pWpJ3SmeKmd8OxcYo9kVSzOEAmvh3hLhN6zRHLRNoKk6hF
goFn+Zs9wkILM0lhjTh/9nt++xc24o9c5DLtPqtWl56YW1zPQ7ibrlSGpsR/uLmZgdsg
LF3R3a2W9MSGOS8n53TqhRWwRPutWO7GuD0ENT93wgPsKTtETiLTlqy6HoIrDUfacHVM
2UaP4nydGcebwI5zUGjxwYcC/GW30Tm0EiqIzI9XHa9HEAsbbK5TnU3rxKA2+VrnB0dU
XuCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
:dkim-signature;
bh=YWAqI/Kk7C1aWuQUx3p0nPdIT/a5Kqtc/ZwtQTnIWi4=;
b=cBnuDCQc0fjomW+CzSIe6foavinTlCQpiQRygBW+DMFpPtKP92DOkG5RgJVY16q1kT
3Sfv51FW+RL215k+vnGAEnpk0wKixqEc+5+YU4Htxi3NAa3hiAiLNBigV54t1pGGMNDg
QAGafwA8Vm6VnZh5z/rArBHpUGkPWeWEJFmPazPOy7pmi3fpnEXHKvsISCvGLXUKr1/v
vVVnkDMMqk81DsKtPqjhgC4IYZ0S0+gDavfoxc5/jdPs/dgbQzvOzTWffAcqzhzHSOaq
2kAvLpgIrTPosb/oSQw6ypoAB29JbVHYqjc+Zqzb38w248/q3vLGz2brrEEHTi7rVkQO
0YgQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=7kGs2scB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
y205-20020a6264d6000000b0063b7b02424fsi857017pfb.250.2023.05.08.15.25.15;
Mon, 08 May 2023 15:25:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=7kGs2scB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232803AbjEHVpB (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
+ 99 others); Mon, 8 May 2023 17:45:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56196 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234246AbjEHVo4 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 8 May 2023 17:44:56 -0400
Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com
[IPv6:2607:f8b0:4864:20::449])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3ADFB138
for <linux-kernel@vger.kernel.org>;
Mon, 8 May 2023 14:44:55 -0700 (PDT)
Received: by mail-pf1-x449.google.com with SMTP id
d2e1a72fcca58-6437923cca9so5120779b3a.2
for <linux-kernel@vger.kernel.org>;
Mon, 08 May 2023 14:44:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20221208; t=1683582295; x=1686174295;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=YWAqI/Kk7C1aWuQUx3p0nPdIT/a5Kqtc/ZwtQTnIWi4=;
b=7kGs2scBYldQX+e+k2+m1q6fU/9c9u6Vb1STUfW0e1BlcplFBmLBusMn2WStRMaf/q
sDAJO5hcwd7J7ZOIW+DkVpSUtojg1OfxSIMuT17etWTdyr+NBdFb2taBNCBTNN9t/YCV
j1TQTmlLCc2gIydnSJFQOsbiDBghwfZBZ3mtz5XNN4MTKct/vxS6dL30ngBYPtIh1d/A
jOFXWgTnZLKRG0ha1QKL+yqW91DtGOlvfHFxk12e4bWsYfUSwnPkXFZaqLi/drexzaqQ
v+4tA/R/ZBRFWxjBynQJynJRKBjrvtjpmgHMMwXcO4U1z8n5GqbHgRd8YsYCtAaQ8Y2v
JDTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1683582295; x=1686174295;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=YWAqI/Kk7C1aWuQUx3p0nPdIT/a5Kqtc/ZwtQTnIWi4=;
b=lpSd7MN23xa0gTcFfPzhwGAl7dfbtnuFAdMpn4dhco9QC0dkDBrjMZWZAjMFkfYqqm
76aL/6ZqQZV8ZFqGF/IlIhpeIBNZd+JYZ7VclgVp3fNjYn0dsQmJxJ5VoHFJams3cj7a
pXGOxDLf9zaePrMfrobRQiUo8N/FJTQkSJF4kDSguf3xMXFEnCk9cLBW7HUILq7xzs60
rhc1yQjRuvfW1UUBkGNfAVVJrJHqBk24GlELLcyUTZoWzKSLMCZtv3LTjH5OekEIclpZ
beWmuuPmsCjR4mfXUUAKJ55cUNODyWZTrBoYpqHBbLyjAUPMxcFM9XDyNMGzi8nn206X
R1Tg==
X-Gm-Message-State: AC+VfDy+v55q6AnhctV9gsGYrr6N8SYsHNbuaUn21AjbmkivvijK872O
AmwtCj1W2hhEaYPnKw1RWI6D4csvmnk=
X-Received: from badhri.c.googlers.com
([fda3:e722:ac3:cc00:7f:e700:c0a8:6442])
(user=badhri job=sendgmr) by 2002:a05:6a00:d68:b0:643:6fa8:e7f4 with SMTP id
n40-20020a056a000d6800b006436fa8e7f4mr3494658pfv.0.1683582294746; Mon, 08 May
2023 14:44:54 -0700 (PDT)
Date: Mon, 8 May 2023 21:44:43 +0000
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.1.521.gf1e218fcd8-goog
Message-ID: <20230508214443.893436-1-badhri@google.com>
Subject: [PATCH v1] usb: typec: altmodes/displayport: fix pin_assignment_show
From: Badhri Jagan Sridharan <badhri@google.com>
To: gregkh@linuxfoundation.org, heikki.krogerus@linux.intel.com
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
rdbabiera@google.com, stable@vger.kernel.org,
Badhri Jagan Sridharan <badhri@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765366541814526819?=
X-GMAIL-MSGID: =?utf-8?q?1765366541814526819?=
|
| Series |
[v1] usb: typec: altmodes/displayport: fix pin_assignment_show
|
|
Commit Message
Badhri Jagan Sridharan
May 8, 2023, 9:44 p.m. UTC
This patch fixes negative indexing of buf array in pin_assignment_show
when get_current_pin_assignments returns 0 i.e. no compatible pin
assignments are found.
BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
...
Call trace:
dump_backtrace+0x110/0x204
dump_stack_lvl+0x84/0xbc
print_report+0x358/0x974
kasan_report+0x9c/0xfc
__do_kernel_fault+0xd4/0x2d4
do_bad_area+0x48/0x168
do_tag_check_fault+0x24/0x38
do_mem_abort+0x6c/0x14c
el1_abort+0x44/0x68
el1h_64_sync_handler+0x64/0xa4
el1h_64_sync+0x78/0x7c
pin_assignment_show+0x26c/0x33c
dev_attr_show+0x50/0xc0
Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
Cc: stable@vger.kernel.org
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
---
drivers/usb/typec/altmodes/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
base-commit: ac9a78681b921877518763ba0e89202254349d1b
Comments
On Mon, May 08, 2023 at 09:44:43PM +0000, Badhri Jagan Sridharan wrote: > This patch fixes negative indexing of buf array in pin_assignment_show > when get_current_pin_assignments returns 0 i.e. no compatible pin > assignments are found. > > BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c > ... > Call trace: > dump_backtrace+0x110/0x204 > dump_stack_lvl+0x84/0xbc > print_report+0x358/0x974 > kasan_report+0x9c/0xfc > __do_kernel_fault+0xd4/0x2d4 > do_bad_area+0x48/0x168 > do_tag_check_fault+0x24/0x38 > do_mem_abort+0x6c/0x14c > el1_abort+0x44/0x68 > el1h_64_sync_handler+0x64/0xa4 > el1h_64_sync+0x78/0x7c > pin_assignment_show+0x26c/0x33c > dev_attr_show+0x50/0xc0 > > Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") > Cc: stable@vger.kernel.org > Signed-off-by: Badhri Jagan Sridharan <badhri@google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/altmodes/displayport.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c > index 8f3e884222ad..66de880b28d0 100644 > --- a/drivers/usb/typec/altmodes/displayport.c > +++ b/drivers/usb/typec/altmodes/displayport.c > @@ -516,6 +516,10 @@ static ssize_t pin_assignment_show(struct device *dev, > > mutex_unlock(&dp->lock); > > + /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ > + if (len == 0) > + len++; > + > buf[len - 1] = '\n'; > return len; > } thanks,
diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c index 8f3e884222ad..66de880b28d0 100644 --- a/drivers/usb/typec/altmodes/displayport.c +++ b/drivers/usb/typec/altmodes/displayport.c @@ -516,6 +516,10 @@ static ssize_t pin_assignment_show(struct device *dev, mutex_unlock(&dp->lock); + /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ + if (len == 0) + len++; + buf[len - 1] = '\n'; return len; }