[PATCH] net: dsa: sja1105: fix slab-out-of-bounds in sja1105_setup

From: Radu Nicolae Pirea (OSS)
Date: Tue Dec 06 2022 - 10:16:40 EST

Next message: Jisheng Zhang: "Re: [PATCH v2 01/13] riscv: fix jal offsets in patched alternatives"
Previous message: Guenter Roeck: "Re: [PATCH 5.15 000/123] 5.15.82-rc2 review"
Next in thread: Vladimir Oltean: "Re: [PATCH] net: dsa: sja1105: fix slab-out-of-bounds in sja1105_setup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Radu Pirea <radu-nicolae.pirea@xxxxxxx>

Fix slab-out-of-bounds in sja1105_setup.

Kernel log:

[ 98.394543] sja1105 spi5.0: Probed switch chip: SJA1105Q
[ 98.425782] ==================================================================
[ 98.425819] BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
[ 98.425880] Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8

[ 98.425921] CPU: 0 PID: 8 Comm: kworker/u8:0 Tainted: G O 5.15.73-rt52-00001-g9f4226d49b44 #6
[ 98.425955] Hardware name: NXP S32G2XXX-EVB (DT)
[ 98.425975] Workqueue: events_unbound deferred_probe_work_func
[ 98.426039] Call trace:
[ 98.426049] dump_backtrace+0x0/0x2b4
[ 98.426099] show_stack+0x18/0x24
[ 98.426140] dump_stack_lvl+0x68/0x84
[ 98.426179] print_address_description.constprop.0+0x78/0x29c
[ 98.426221] kasan_report+0x1d4/0x240
[ 98.426261] __asan_store8+0x98/0xd0
[ 98.426299] sja1105_setup+0x1cbc/0x2340
[ 98.426331] dsa_register_switch+0x1284/0x18d0
[ 98.426381] sja1105_probe+0x748/0x840
[ 98.426411] spi_probe+0xb0/0x110
[ 98.426458] really_probe.part.0+0xf8/0x48c
[ 98.426503] __driver_probe_device+0xd4/0x180
[ 98.426546] driver_probe_device+0xf8/0x1e0
[ 98.426588] __device_attach_driver+0xe8/0x1a0
[ 98.426631] bus_for_each_drv+0xf4/0x15c
[ 98.426670] __device_attach+0x120/0x270
[ 98.426711] device_initial_probe+0x14/0x20
[ 98.426753] bus_probe_device+0xec/0x100
[ 98.426793] deferred_probe_work_func+0xe8/0x130
[ 98.426835] process_one_work+0x3cc/0x664
[ 98.426872] worker_thread+0xa0/0x72c
[ 98.426904] kthread+0x21c/0x230
[ 98.426946] ret_from_fork+0x10/0x20

[ 98.426988] Allocated by task 8:
[ 98.427004] kasan_save_stack+0x28/0x60
[ 98.427040] __kasan_kmalloc+0x8c/0xb0
[ 98.427072] __kmalloc+0xdc/0x1a0
[ 98.427100] kmalloc_array.constprop.0+0x20/0x34
[ 98.427131] sja1105_setup+0x1bcc/0x2340
[ 98.427160] dsa_register_switch+0x1284/0x18d0
[ 98.427203] sja1105_probe+0x748/0x840
[ 98.427232] spi_probe+0xb0/0x110
[ 98.427274] really_probe.part.0+0xf8/0x48c
[ 98.427316] __driver_probe_device+0xd4/0x180
[ 98.427357] driver_probe_device+0xf8/0x1e0
[ 98.427398] __device_attach_driver+0xe8/0x1a0
[ 98.427441] bus_for_each_drv+0xf4/0x15c
[ 98.427478] __device_attach+0x120/0x270
[ 98.427516] device_initial_probe+0x14/0x20
[ 98.427557] bus_probe_device+0xec/0x100
[ 98.427596] deferred_probe_work_func+0xe8/0x130
[ 98.427636] process_one_work+0x3cc/0x664
[ 98.427668] worker_thread+0xa0/0x72c
[ 98.427698] kthread+0x21c/0x230
[ 98.427737] ret_from_fork+0x10/0x20

[ 98.427775] The buggy address belongs to the object at ffffff880bd57000
which belongs to the cache kmalloc-2k of size 2048
[ 98.427801] The buggy address is located 1800 bytes inside of
2048-byte region [ffffff880bd57000, ffffff880bd57800)
[ 98.427833] The buggy address belongs to the page:
[ 98.427848] page:0000000065dd1b0f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88bd57
[ 98.427881] flags: 0x8000000000000200(slab|zone=2)
[ 98.427935] raw: 8000000000000200 fffffffe1c296ad8 fffffffe1c296b80 ffffff8800000400
[ 98.427966] raw: 0000000000000000 ffffff880bd57000 0000000100000001
[ 98.427982] page dumped because: kasan: bad access detected

[ 98.428003] Memory state around the buggy address:
[ 98.428021] ffffff880bd57600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 98.428046] ffffff880bd57680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 98.428072] >ffffff880bd57700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 98.428088] ^
[ 98.428106] ffffff880bd57780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 98.428131] ffffff880bd57800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 98.428148] ==================================================================

Signed-off-by: Radu Pirea <radu-nicolae.pirea@xxxxxxx>
---
drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Can be applied on top of 5.15.81 stable branch.

Cheers.
Radu P.

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index 412666111b0c..b70dcf32a26d 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1038,7 +1038,7 @@ static int sja1105_init_l2_policing(struct sja1105_private *priv)

policing[bcast].sharindx = port;
/* Only SJA1110 has multicast policers */
- if (mcast <= table->ops->max_entry_count)
+ if (mcast < table->ops->max_entry_count)
policing[mcast].sharindx = port;
}

--
2.34.1

Next message: Jisheng Zhang: "Re: [PATCH v2 01/13] riscv: fix jal offsets in patched alternatives"
Previous message: Guenter Roeck: "Re: [PATCH 5.15 000/123] 5.15.82-rc2 review"
Next in thread: Vladimir Oltean: "Re: [PATCH] net: dsa: sja1105: fix slab-out-of-bounds in sja1105_setup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]