samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Código Incidencias Pull Requests Acciones Paquetes Proyectos Lanzamientos Wiki Actividad

qcacmn: Fix integer underflow and buffer over-read in fwlog

Explorar el Código 
Currently, there is no check of:
1) Firmware event parameters in dbglog_parse_debug_logs(), which can
result in integer underflow.
2) Number of dbg log args against the total length, which can result in
buffer over-read.

To fix this, compare size of firmware event parameters and number of
dbg log args with total buffer length.

Change-Id: I7fbc684ec9e80cfc66220755a1ad6b9394194735
CRs-Fixed: 2197246
Este commit está contenido en:
Rajeev Kumar Sirasanagandla
2018-02-28 12:21:47 +05:30
cometido por nshrivas
padre deeaf6e9b2
commit 448e07a99e
Se han modificado 1 ficheros con 11 adiciones y 3 borrados
Descargar archivo de parche Descargar archivo de diferencias Expandir todos los archivos Contraer todos los archivos

14
utils/fwlog/dbglog_host.c
Ver fichero

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
* Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -1483,7 +1483,7 @@ static int dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length)
char parseArgsString[DBGLOG_PARSE_ARGS_STRING_LENGTH];
char *dbgidString;
while (count < length) {
while ((count + 1) < length) {
debugid = DBGLOG_GET_DBGID(buffer[count + 1]);
moduleid = DBGLOG_GET_MODULEID(buffer[count + 1]);
@@ -1496,6 +1496,9 @@ static int dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length)
OS_MEMZERO(parseArgsString, sizeof(parseArgsString));
totalWriteLen = 0;
if (!numargs || (count + numargs + 2 > length))
goto skip_args_processing;
for (curArgs = 0; curArgs < numargs; curArgs++) {
/*
* Using sprintf_s instead of sprintf,
@@ -1508,7 +1511,7 @@ static int dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length)
buffer[count + 2 + curArgs]);
totalWriteLen += writeLen;
}
skip_args_processing:
if (debugid < MAX_DBG_MSGS) {
dbgidString = DBG_MSG_ARR[moduleid][debugid];
if (dbgidString != NULL) {
@@ -2000,6 +2003,11 @@ int dbglog_parse_debug_logs(ol_scn_t scn, uint8_t *data, uint32_t datalen)
len = param_buf->num_bufp;
}
if (len < sizeof(dropped)) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("Invalid length\n"));
return A_ERROR;
}
dropped = *((A_UINT32 *) datap);
if (dropped > 0) {
AR_DEBUG_PRINTF(ATH_DEBUG_TRC,