Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp14191pxb;
        Thu, 20 Jan 2022 08:11:02 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyycarM4nKrXHuScqLojIR17FD0Chf9LUST4UO0EMyoepgK01i++p0XJCGQ023vKEdTF54Y
X-Received: by 2002:a17:902:e743:b0:14a:f395:3b2f with SMTP id p3-20020a170902e74300b0014af3953b2fmr8167463plf.110.1642695061828;
        Thu, 20 Jan 2022 08:11:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642695061; cv=none;
        d=google.com; s=arc-20160816;
        b=J8qkNTkRlYprN0g8349Ls294l4dBuYNCfh50peWt/Xo1xiETt78eUzUg8JLdr2EO7t
         4z5yYL3tmRZa7malXdzVLrEGT/RM5P/LHvUZuOJCLMwvu0ycE7JfP9URrPi5geOmCkRm
         fC7qlrRPeqxy3gjcR3qED4j2iBeCHIyKtAlEeVjLywE+Q8mAvjEzxWrTvdgQQ1TxZsk5
         QIqeirYM5uzto+ZGPDpbriw9qWTssWAn4D7XaY2SdUn8bumMiyfbIXg+v5ibcNeDoEjx
         WrPR1qKeBP7nTLnWrcgMut0lH0+O/FQ9QdHd3LcRZUf4nKRUExIDlfglf6QXmq+vD4M2
         MelA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Dt/caRI8HeoDArL6Vci+931Tx/Xksu7yQRm14iTkQ1c=;
        b=iUmZvEFLMRaHx8ihOKcU4FOdn7IVYww6Zp+L+NSjdf0PYZf0wdiWELp4nffMvqfbZs
         FKnTrsidbeML1mRwz9tfw7bisVPNg6jbGtJvt7tx7cLzAp9xRZd7a0Jl6UdPbqBaL9oA
         UA+tPHVWXbrTNFhYCH5wcpP+xpaGPnKIsP46eV3kwZe7tu8EqcbP4WITP+Vc0Jy4WCqf
         9H4ciW3W+2kkOJ2YZGxBrHw6E2vh16rA7ZfYZP5hOEl0nVRAGy0aCBAkhlvFfR0MyFQ7
         sITnlTVyiiQ6P7VVmxYeDZOqVNZJAHQouQTeG6SkAuzbJLu/bFCe2GQbk4uZiUr6VMO/
         7g9g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a49Tm78Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 79si179023pgf.170.2022.01.20.08.10.40;
        Thu, 20 Jan 2022 08:11:01 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a49Tm78Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346414AbiARQKj (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Tue, 18 Jan 2022 11:10:39 -0500
Received: from dfw.source.kernel.org ([139.178.84.217]:39986 "EHLO
        dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346571AbiARQI6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Jan 2022 11:08:58 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 7DDA3612E6;
        Tue, 18 Jan 2022 16:08:58 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 54F73C00446;
        Tue, 18 Jan 2022 16:08:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1642522137;
        bh=euUqpoJamjbQtoMt2wX7hkoWVdt15chwwxCFqoDKJu8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=a49Tm78YYe/MTS4ZliiZzAqt3P+UWGqSN0abUedYuEfpZynsNNL4g2RRIvPM/BECc
         4Rn8E07JYEWXt7jNauZcqLoV6fIP3yD8gKwb8Nh4SO8/pFffiSNS2/PU4mdiNS4y4b
         euNH2kF+j3T6V3c8Rph+hw8A3Iew/Jzw1mzmWEXw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephen Boyd <swboyd@chromium.org>,
        Bjorn Andersson <bjorn.andersson@linaro.org>
Subject: [PATCH 5.15 04/28] remoteproc: qcom: pil_info: Dont memcpy_toio more than is provided
Date:   Tue, 18 Jan 2022 17:05:50 +0100
Message-Id: <20220118160452.025245220@linuxfoundation.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220118160451.879092022@linuxfoundation.org>
References: <20220118160451.879092022@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Stephen Boyd <swboyd@chromium.org>

commit fdc12231d885119cc2e2b4f3e0fbba3155f37a56 upstream.

If the string passed into qcom_pil_info_store() isn't as long as
PIL_RELOC_NAME_LEN we'll try to copy the string assuming the length is
PIL_RELOC_NAME_LEN to the io space and go beyond the bounds of the
string. Let's only copy as many byes as the string is long, ignoring the
NUL terminator.

This fixes the following KASAN error:

 BUG: KASAN: global-out-of-bounds in __memcpy_toio+0x124/0x140
 Read of size 1 at addr ffffffd35086e386 by task rmtfs/2392

 CPU: 2 PID: 2392 Comm: rmtfs Tainted: G        W         5.16.0-rc1-lockdep+ #10
 Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
 Call trace:
  dump_backtrace+0x0/0x410
  show_stack+0x24/0x30
  dump_stack_lvl+0x7c/0xa0
  print_address_description+0x78/0x2bc
  kasan_report+0x160/0x1a0
  __asan_report_load1_noabort+0x44/0x50
  __memcpy_toio+0x124/0x140
  qcom_pil_info_store+0x298/0x358 [qcom_pil_info]
  q6v5_start+0xdf0/0x12e0 [qcom_q6v5_mss]
  rproc_start+0x178/0x3a0
  rproc_boot+0x5f0/0xb90
  state_store+0x78/0x1bc
  dev_attr_store+0x70/0x90
  sysfs_kf_write+0xf4/0x118
  kernfs_fop_write_iter+0x208/0x300
  vfs_write+0x55c/0x804
  ksys_pwrite64+0xc8/0x134
  __arm64_compat_sys_aarch32_pwrite64+0xc4/0xdc
  invoke_syscall+0x78/0x20c
  el0_svc_common+0x11c/0x1f0
  do_el0_svc_compat+0x50/0x60
  el0_svc_compat+0x5c/0xec
  el0t_32_sync_handler+0xc0/0xf0
  el0t_32_sync+0x1a4/0x1a8

 The buggy address belongs to the variable:
  .str.59+0x6/0xffffffffffffec80 [qcom_q6v5_mss]

 Memory state around the buggy address:
  ffffffd35086e280: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  ffffffd35086e300: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
 >ffffffd35086e380: 06 f9 f9 f9 05 f9 f9 f9 00 00 00 00 00 06 f9 f9
                    ^
  ffffffd35086e400: f9 f9 f9 f9 01 f9 f9 f9 04 f9 f9 f9 00 00 01 f9
  ffffffd35086e480: f9 f9 f9 f9 00 00 00 00 00 00 00 01 f9 f9 f9 f9

Fixes: 549b67da660d ("remoteproc: qcom: Introduce helper to store pil info in IMEM")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20211117065454.4142936-1-swboyd@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/remoteproc/qcom_pil_info.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/remoteproc/qcom_pil_info.c
+++ b/drivers/remoteproc/qcom_pil_info.c
@@ -104,7 +104,7 @@ int qcom_pil_info_store(const char *imag
 	return -ENOMEM;
 
 found_unused:
-	memcpy_toio(entry, image, PIL_RELOC_NAME_LEN);
+	memcpy_toio(entry, image, strnlen(image, PIL_RELOC_NAME_LEN));
 found_existing:
 	/* Use two writel() as base is only aligned to 4 bytes on odd entries */
 	writel(base, entry + PIL_RELOC_NAME_LEN);