1c23b01ea17061e66f336b2194ad4d109be8abeb - platform/vendor/qcom-opensource/wlan/prima

commit	1c23b01ea17061e66f336b2194ad4d109be8abeb	[log] [tgz]
author	Deepthi Gowri <c_gowri@qti.qualcomm.com>	Thu Jan 07 18:22:42 2016 +0530
committer	Satyanarayana Dash <sadash@codeaurora.org>	Mon Jan 11 18:40:26 2016 +0530
tree	8d3686b50c003e39f38ff4352393847af96dccfe
parent	1623edfd08a47eff0aaa6254a505f29743974807 [diff]

wlan: Fix out of bound access in oem send response. Out of bound access is reported by kernel address sanitizer (KASan) tool. ============================================================ BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr ffffffc0132a3e08 Read of size 2100 by task VosMCThread/1769 ============================================================ BUG kmalloc-128 (Tainted: G B O ): kasan: bad access detected ------------------------------------------------------------ Call trace: [<ffffffc00008c80c>] dump_backtrace+0x0/0x284 [<ffffffc00008caa0>] show_stack+0x10/0x1c [<ffffffc001e7c4ac>] dump_stack+0x74/0xfc [<ffffffc0002f2f18>] print_trailer+0x150/0x164 [<ffffffc0002f32e0>] object_err+0x38/0x4c [<ffffffc0002f8818>] kasan_report+0x34c/0x504 [<ffffffc0002f7ae0>] __asan_loadN+0x20/0x14c [<ffffffc0002f7fe4>] memcpy+0x24/0x54 [<ffffffbffc383c68>] vos_mem_copy+0x68/0x7c [wlan] [<ffffffbffc098be8>] send_oem_data_rsp_msg+0x25c/0x338 [wlan] [<ffffffbffc108f3c>] wlan_hdd_cfg80211_oemdata_callback+0xdc/0x154 [wlan] [<ffffffbffc3c051c>] WDA_lowLevelIndCallback+0x2df4/0x2e64 [wlan] [<ffffffbffc3f0554>] WDI_ProcessStartOemDataRspIndNew+0x170/0x1c4 [wlan] [<ffffffbffc3f9ca4>] WDI_MainRsp+0x25c/0x31c [wlan] [<ffffffbffc3f276c>] WDI_PostMainEvent+0x14c/0x208 [wlan] [<ffffffbffc3fe254>] WDI_RXMsgCTSCB+0x3e8/0x434 [wlan] [<ffffffbffc43e3d8>] WCTS_PALDataCallback+0x158/0x4a8 [wlan] [<ffffffbffc390990>] VosMCThread+0x3d4/0x950 [wlan] [<ffffffc0000f1f24>] kthread+0x22c/0x240 Memory state around the buggy address: ffffffc0132a3d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0132a3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0132a3e00: 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc0132a3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0132a3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================= Memory corruption is observed during memcpy as the source buffer(oemDataRsp) size is greater than the destination buffer size(oemData). The oemdata buffer size derived from skb which is allocated with incorrect oem data response size. To address this, allocate the skb with proper oem data response size. CRs-Fixed: 958507 Change-Id: I362bf71c455d8e66c7f07610a29581ada4b4c655