aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Neumüller <cn00@gmx.at>2014-09-09 11:20:19 +0200
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2017-05-15 02:18:23 +0200
commitdb423114339705ea03e45487f55ab8bbf64f4d3c (patch)
treea6cbec9bd06ef7dc992055022d678fb8ccfe6da8
parent18e37f85679895b69a3ee41e8caf0dcbca3b8db5 (diff)
downloadkernel_samsung_smdk4412-db423114339705ea03e45487f55ab8bbf64f4d3c.zip
kernel_samsung_smdk4412-db423114339705ea03e45487f55ab8bbf64f4d3c.tar.gz
kernel_samsung_smdk4412-db423114339705ea03e45487f55ab8bbf64f4d3c.tar.bz2
bcmdhd wireless: Fix off by one in initialization.
An sprintf in dhd_write_macaddr wrote a rogue null byte after the buffer. Found with CONFIG_CC_STACKPROTECTOR=y (idea of Lanchon at XDA Developers [1]). [1]: http://forum.xda-developers.com/showthread.php?p=55306602 Panic, on a Samsung Galaxy S2 i9100, was: <0>[ 26.412257] c1 Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bf013a2c <0>[ 26.412315] c1 <4>[ 26.412334] c1 Backtrace: <4>[ 26.412382] c1 [<c064e5b8>] (dump_backtrace+0x0/0x10c) from [<c0b91e6c>] (dump_stack+0x18/0x1c) <4>[ 26.412439] c1 r6:e211e820 r5:c0ed4760 r4:c0f5c940 r3:271aed5c <4>[ 26.412496] c1 [<c0b91e54>] (dump_stack+0x0/0x1c) from [<c0b92204>] (panic+0x80/0x1ac) <4>[ 26.412561] c1 [<c0b92184>] (panic+0x0/0x1ac) from [<c0684be0>] (init_oops_id+0x0/0x58) <4>[ 26.412613] c1 r3:271aed5c r2:271aed00 r1:bf013a2c r0:c0cb8880 <4>[ 26.412663] c1 r7:e273bc32 <4>[ 26.412742] c1 [<c0684bc4>] (__stack_chk_fail+0x0/0x1c) from [<bf013a2c>] (dhd_write_macaddr+0x2e4/0x310 [dhd]) <4>[ 26.412864] c1 [<bf013748>] (dhd_write_macaddr+0x0/0x310 [dhd]) from [<bf01a554>] (dhd_bus_start+0x1a4/0x2e0 [dhd]) <4>[ 26.412985] c1 [<bf01a3b0>] (dhd_bus_start+0x0/0x2e0 [dhd]) from [<bf020558>] (dhdsdio_probe+0x4a4/0x72c [dhd]) <4>[ 26.413097] c1 [<bf0200b4>] (dhdsdio_probe+0x0/0x72c [dhd]) from [<bf00c0ec>] (bcmsdh_probe+0xf8/0x150 [dhd]) <4>[ 26.413206] c1 [<bf00bff4>] (bcmsdh_probe+0x0/0x150 [dhd]) from [<bf00e038>] (bcmsdh_sdmmc_probe+0x54/0xbc [dhd]) <4>[ 26.413304] c1 [<bf00dfe4>] (bcmsdh_sdmmc_probe+0x0/0xbc [dhd]) from [<c09a7fe8>] (sdio_bus_probe+0xfc/0x108) <4>[ 26.413368] c1 r5:e2d97000 r4:e2d97008 <4>[ 26.413414] c1 [<c09a7eec>] (sdio_bus_probe+0x0/0x108) from [<c0896764>] (driver_probe_device+0x94/0x1a8) <4>[ 26.413474] c1 r8:00000000 r7:bf067414 r6:e2d9703c r5:c0f6ddb8 r4:e2d97008 <4>[ 26.413531] c1 r3:c09a7eec <4>[ 26.413563] c1 [<c08966d0>] (driver_probe_device+0x0/0x1a8) from [<c089690c>] (__driver_attach+0x94/0x98) <4>[ 26.413624] c1 r7:e2e631e0 r6:e2d9703c r5:bf067414 r4:e2d97008 <4>[ 26.413683] c1 [<c0896878>] (__driver_attach+0x0/0x98) from [<c0895678>] (bus_for_each_dev+0x4c/0x94) <4>[ 26.413742] c1 r6:c0896878 r5:bf067414 r4:00000000 r3:c0896878 <4>[ 26.413799] c1 [<c089562c>] (bus_for_each_dev+0x0/0x94) from [<c0896428>] (driver_attach+0x24/0x28) <4>[ 26.413857] c1 r6:c0f02af0 r5:bf067414 r4:bf067414 <4>[ 26.413904] c1 [<c0896404>] (driver_attach+0x0/0x28) from [<c08960c8>] (bus_add_driver+0x180/0x250) <4>[ 26.413970] c1 [<c0895f48>] (bus_add_driver+0x0/0x250) from [<c0896e14>] (driver_register+0x80/0x150) <4>[ 26.414037] c1 [<c0896d94>] (driver_register+0x0/0x150) from [<c09a8128>] (sdio_register_driver+0x2c/0x30) <4>[ 26.414131] c1 [<c09a80fc>] (sdio_register_driver+0x0/0x30) from [<bf00e250>] (sdio_function_init+0x3c/0x8c [dhd]) <4>[ 26.414244] c1 [<bf00e214>] (sdio_function_init+0x0/0x8c [dhd]) from [<bf00c19c>] (bcmsdh_register+0x1c/0x24 [dhd]) <4>[ 26.414311] c1 r5:00000004 r4:bf06a3c4 <4>[ 26.414398] c1 [<bf00c180>] (bcmsdh_register+0x0/0x24 [dhd]) from [<bf027990>] (dhd_bus_register+0x24/0x48 [dhd]) <4>[ 26.414515] c1 [<bf02796c>] (dhd_bus_register+0x0/0x48 [dhd]) from [<bf07618c>] (init_module+0x18c/0x284 [dhd]) <4>[ 26.414610] c1 [<bf076000>] (init_module+0x0/0x284 [dhd]) from [<c06448f8>] (do_one_initcall+0x128/0x1a8) <4>[ 26.414683] c1 [<c06447d0>] (do_one_initcall+0x0/0x1a8) from [<c06b9710>] (sys_init_module+0xdf8/0x1b1c) <4>[ 26.414756] c1 [<c06b8918>] (sys_init_module+0x0/0x1b1c) from [<c064a8c0>] (ret_fast_syscall+0x0/0x30) <2>[ 26.414861] c0 CPU0: stopping <4>[ 26.414886] c0 Backtrace: <4>[ 26.414920] c0 [<c064e5b8>] (dump_backtrace+0x0/0x10c) from [<c0b91e6c>] (dump_stack+0x18/0x1c) <4>[ 26.414977] c0 r6:c0d54000 r5:c0eb5d08 r4:00000006 r3:271aed5c <4>[ 26.415039] c0 [<c0b91e54>] (dump_stack+0x0/0x1c) from [<c06444bc>] (do_IPI+0x258/0x29c) <4>[ 26.415102] c0 [<c0644264>] (do_IPI+0x0/0x29c) from [<c064a340>] (__irq_svc+0x80/0x130) <4>[ 26.415156] c0 Exception stack(0xc0d55ef0 to 0xc0d55f38) <4>[ 26.415197] c0 5ee0: 3b9ac9ff 540deacd 01c99e53 00072679 <4>[ 26.415258] c0 5f00: c0f5a468 00000000 c0d54000 00000000 c1b540a8 412fc091 00000000 c0d55f64 <4>[ 26.415317] c0 5f20: 540deacd c0d55f38 c06aa768 c065bd78 20000013 ffffffff <4>[ 26.415380] c0 [<c065bd3c>] (exynos4_enter_idle+0x0/0x174) from [<c099a890>] (cpuidle_idle_call+0xa4/0x120) <4>[ 26.415442] c0 r7:00000000 r6:00000001 r5:c0f815ac r4:c1b540b8 <4>[ 26.415498] c0 [<c099a7ec>] (cpuidle_idle_call+0x0/0x120) from [<c064bd40>] (cpu_idle+0xc4/0x100) <4>[ 26.415554] c0 r8:4000406a r7:c0ba09a8 r6:c0f59ec4 r5:c0ebd8c4 r4:c0d54000 <4>[ 26.415610] c0 r3:c099a7ec <4>[ 26.415641] c0 [<c064bc7c>] (cpu_idle+0x0/0x100) from [<c0b83238>] (rest_init+0x8c/0xa4) <4>[ 26.415694] c0 r7:c1b51180 r6:c0f59e00 r5:00000002 r4:c0d54000 <4>[ 26.415752] c0 [<c0b831ac>] (rest_init+0x0/0xa4) from [<c00089c4>] (start_kernel+0x2dc/0x330) <4>[ 26.415807] c0 r5:c063d944 r4:c0eb5d34 <4>[ 26.415845] c0 [<c00086e8>] (start_kernel+0x0/0x330) from [<40008044>] (0x40008044) Change-Id: Iaa907383e196fdf787ae4660977b58de79212de1
-rw-r--r--drivers/net/wireless/bcmdhd/dhd_custom_sec.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/net/wireless/bcmdhd/dhd_custom_sec.c b/drivers/net/wireless/bcmdhd/dhd_custom_sec.c
index b20aabd..c099490 100644
--- a/drivers/net/wireless/bcmdhd/dhd_custom_sec.c
+++ b/drivers/net/wireless/bcmdhd/dhd_custom_sec.c
@@ -360,6 +360,8 @@ void get_customized_country_code(void *adapter, char *country_iso_code, wl_count
#define CIS_TUPLE_TAG_MACADDR 0x19
#define CIS_TUPLE_TAG_MACADDR_OFF ((TLV_BODY_OFF) + (1))
+#define MACBUFFER_SZ (sizeof("00:11:22:33:44:55\n"))
+
#ifdef READ_MACADDR
int dhd_read_macaddr(struct dhd_info *dhd, struct ether_addr *mac)
{
@@ -1186,7 +1188,7 @@ int dhd_write_macaddr(struct ether_addr *mac)
char *filepath_efs = MACINFO_EFS;
struct file *fp_mac = NULL;
- char buf[18] = {0};
+ char buf[MACBUFFER_SZ] = {0};
mm_segment_t oldfs = {0};
int ret = -1;
int retry_count = 0;
@@ -1209,7 +1211,7 @@ startwrite:
if (fp_mac->f_mode & FMODE_WRITE) {
ret = fp_mac->f_op->write(fp_mac, (const char *)buf,
- sizeof(buf), &fp_mac->f_pos);
+ sizeof(buf) - 1 /* skip null byte */, &fp_mac->f_pos);
if (ret < 0)
DHD_ERROR(("[WIFI_SEC] Mac address [%s] Failed to"
" write into File: %s\n", buf, filepath_data));
@@ -1249,7 +1251,7 @@ startwrite:
if (fp_mac->f_mode & FMODE_WRITE) {
ret = fp_mac->f_op->write(fp_mac, (const char *)buf,
- sizeof(buf), &fp_mac->f_pos);
+ sizeof(buf) - 1 /* skip null byte */, &fp_mac->f_pos);
if (ret < 0)
DHD_ERROR(("[WIFI_SEC] Mac address [%s] Failed to"
" write into File: %s\n", buf, filepath_efs));