msm: ice: Fix stack-out-of-bound erros on kasan builds
ice_type defined in local scope and is passed to class_create
function where it saves the passed buffer as name identifier.
Due to local scope the passed buffer becomes invalid and if
read during uevent can cause in stack-out-of-bounds errors.
This change adds two variable is_sdcc_ice and is_ufscard_ice
which is used to determine corrrect ice instance name. ice
instance names are global macro which is passed to clas_create
which fix stack-out-of-bound issue due to local scope.
Change-Id: I59e617263801a0741e45d423401ce1232b3d65d1
Signed-off-by: Jiten Patel <jitepate@codeaurora.org>
diff --git a/drivers/crypto/msm/ice.c b/drivers/crypto/msm/ice.c
index 42aadb8..138671c 100644
--- a/drivers/crypto/msm/ice.c
+++ b/drivers/crypto/msm/ice.c
@@ -58,7 +58,6 @@
#define ICE_CRYPTO_CXT_FDE 1
#define ICE_CRYPTO_CXT_FBE 2
-#define ICE_INSTANCE_TYPE_LENGTH 12
static int ice_fde_flag;
@@ -584,33 +583,37 @@
unsigned int baseminor = 0;
unsigned int count = 1;
struct device *class_dev;
- char ice_type[ICE_INSTANCE_TYPE_LENGTH];
-
- if (!strcmp(ice_dev->ice_instance_type, "sdcc"))
- strlcpy(ice_type, QCOM_SDCC_ICE_DEV, sizeof(ice_type));
- else if (!strcmp(ice_dev->ice_instance_type, "ufscard"))
- strlcpy(ice_type, QCOM_UFS_CARD_ICE_DEV, sizeof(ice_type));
- else
- strlcpy(ice_type, QCOM_UFS_ICE_DEV, sizeof(ice_type));
+ int is_sdcc_ice = !strcmp(ice_dev->ice_instance_type, "sdcc");
+ int is_ufscard_ice = !strcmp(ice_dev->ice_instance_type, "ufscard");
rc = alloc_chrdev_region(&ice_dev->device_no, baseminor, count,
- ice_type);
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
if (rc < 0) {
pr_err("alloc_chrdev_region failed %d for %s\n", rc,
- ice_type);
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
return rc;
}
- ice_dev->driver_class = class_create(THIS_MODULE, ice_type);
+ ice_dev->driver_class = class_create(THIS_MODULE,
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
if (IS_ERR(ice_dev->driver_class)) {
rc = -ENOMEM;
- pr_err("class_create failed %d for %s\n", rc, ice_type);
+ pr_err("class_create failed %d for %s\n", rc,
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
goto exit_unreg_chrdev_region;
}
class_dev = device_create(ice_dev->driver_class, NULL,
- ice_dev->device_no, NULL, ice_type);
+ ice_dev->device_no, NULL,
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
if (!class_dev) {
- pr_err("class_device_create failed %d for %s\n", rc, ice_type);
+ pr_err("class_device_create failed %d for %s\n", rc,
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
rc = -ENOMEM;
goto exit_destroy_class;
}
@@ -620,7 +623,9 @@
rc = cdev_add(&ice_dev->cdev, MKDEV(MAJOR(ice_dev->device_no), 0), 1);
if (rc < 0) {
- pr_err("cdev_add failed %d for %s\n", rc, ice_type);
+ pr_err("cdev_add failed %d for %s\n", rc,
+ is_sdcc_ice ? QCOM_SDCC_ICE_DEV : is_ufscard_ice ?
+ QCOM_UFS_CARD_ICE_DEV : QCOM_UFS_ICE_DEV);
goto exit_destroy_device;
}
return 0;
diff --git a/include/crypto/ice.h b/include/crypto/ice.h
index 7c1f92e..907bbd4 100644
--- a/include/crypto/ice.h
+++ b/include/crypto/ice.h
@@ -30,7 +30,7 @@
ICE_CRYPTO_USE_LUT_SW_KEY = 0x3
};
-#define QCOM_ICE_TYPE_NAME_LEN 8
+#define QCOM_ICE_TYPE_NAME_LEN 12
typedef void (*ice_error_cb)(void *, u32 error);