linux-brain

History

Sai Prakash Ranjan ef0a06acc6 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer() commit 5fae8a946ac2df879caf3f79a193d4766d00239b upstream. commit `6f755e85c3` ("coresight: Add helper for inserting synchronization packets") removed trailing '\0' from barrier_pkt array and updated the call sites like etb_update_buffer() to have proper checks for barrier_pkt size before read but missed updating tmc_update_etf_buffer() which still reads barrier_pkt past the array size resulting in KASAN out-of-bounds bug. Fix this by adding a check for barrier_pkt size before accessing like it is done in etb_update_buffer(). BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698 Read of size 4 at addr ffffffd05b7d1030 by task perf/2629 Call trace: dump_backtrace+0x0/0x27c show_stack+0x20/0x2c dump_stack+0x11c/0x188 print_address_description+0x3c/0x4a4 __kasan_report+0x140/0x164 kasan_report+0x10/0x18 __asan_report_load4_noabort+0x1c/0x24 tmc_update_etf_buffer+0x4b8/0x698 etm_event_stop+0x248/0x2d8 etm_event_del+0x20/0x2c event_sched_out+0x214/0x6f0 group_sched_out+0xd0/0x270 ctx_sched_out+0x2ec/0x518 __perf_event_task_sched_out+0x4fc/0xe6c __schedule+0x1094/0x16a0 preempt_schedule_irq+0x88/0x170 arm64_preempt_schedule_irq+0xf0/0x18c el1_irq+0xe8/0x180 perf_event_exec+0x4d8/0x56c setup_new_exec+0x204/0x400 load_elf_binary+0x72c/0x18c0 search_binary_handler+0x13c/0x420 load_script+0x500/0x6c4 search_binary_handler+0x13c/0x420 exec_binprm+0x118/0x654 __do_execve_file+0x77c/0xba4 __arm64_compat_sys_execve+0x98/0xac el0_svc_common+0x1f8/0x5e0 el0_svc_compat_handler+0x84/0xb0 el0_svc_compat+0x10/0x50 The buggy address belongs to the variable: barrier_pkt+0x10/0x40 Memory state around the buggy address: ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03 ^ ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa ================================================================== Link: https://lore.kernel.org/r/20210505093430.18445-1-saiprakash.ranjan@codeaurora.org Fixes: `0c3fc4d5fa` ("coresight: Add barrier packet for synchronisation") Cc: stable@vger.kernel.org Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Link: https://lore.kernel.org/r/20210614175901.532683-6-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-07-19 08:53:17 +02:00
..
Kconfig	docs: fix a couple of new broken references	2019-07-31 14:12:26 -06:00
Makefile	coresight: Rename of_coresight to coresight-platform	2019-06-20 07:56:10 +02:00
coresight-catu.c	coresight: Use platform agnostic names	2019-06-20 07:56:13 +02:00
coresight-catu.h	coresight: catu: Cleanup device specific data	2019-06-19 20:29:14 +02:00
coresight-cpu-debug.c	coresight: cpu-debug: Add support for Qualcomm Kryo	2019-09-03 22:01:15 +02:00
coresight-etb10.c	coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()	2020-12-30 11:50:59 +01:00
coresight-etm-cp14.c	coresight: Moving framework and drivers to SPDX identifier	2018-05-14 16:19:59 +02:00
coresight-etm-perf.c	coresight: etm: perf: Fix warning caused by etm_setup_aux failure	2020-10-29 09:57:43 +01:00
coresight-etm-perf.h	coresight: perf: Add "sinks" group to PMU directory	2019-02-08 12:27:36 +01:00
coresight-etm.h	coresight: etm: Clean up device specific data	2019-06-19 20:29:14 +02:00
coresight-etm3x-sysfs.c	coresight: etm: Clean up device specific data	2019-06-19 20:29:14 +02:00
coresight-etm3x.c	coresight: Do not default to CPU0 for missing CPU phandle	2019-07-04 12:23:26 +02:00
coresight-etm4x-sysfs.c	coresight: etm4x: Fix input validation for sysfs.	2019-12-13 08:42:43 +01:00
coresight-etm4x.c	coresight: etm4x: Fix use-after-free of per-cpu etm drvdata	2020-10-01 13:18:02 +02:00
coresight-etm4x.h	coresight: etm: Clean up device specific data	2019-06-19 20:29:14 +02:00
coresight-funnel.c	coresight: Serialize enabling/disabling a link device.	2019-12-17 19:56:41 +01:00
coresight-platform.c	drivers: Introduce device lookup variants by fwnode	2019-07-30 13:07:42 +02:00
coresight-priv.h	coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf()	2020-12-30 11:50:59 +01:00
coresight-replicator.c	coresight: Serialize enabling/disabling a link device.	2019-12-17 19:56:41 +01:00
coresight-stm.c	coresight: stm: ACPI support for parsing stimulus base	2019-06-20 07:56:14 +02:00
coresight-tmc-etf.c	coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()	2021-07-19 08:53:17 +02:00
coresight-tmc-etr.c	coresight: tmc-etr: Fix barrier packet insertion for perf buffer	2020-12-30 11:50:59 +01:00
coresight-tmc.c	coresight: tmc: Make memory width mask computation into a function	2019-09-03 22:01:18 +02:00
coresight-tmc.h	coresight: tmc: Make memory width mask computation into a function	2019-09-03 22:01:18 +02:00
coresight-tpiu.c	coresight: Use platform agnostic names	2019-06-20 07:56:13 +02:00
coresight.c	Revert "coresight: Make sysfs functional on topologies with per core sink"	2020-11-10 12:37:31 +01:00