[Letux-kernel] New LetuxOS Kernels - strcmp(NULL)

H. Nikolaus Schaller hns at goldelico.com
Sun Jun 24 20:17:38 CEST 2018


> Am 24.06.2018 um 18:08 schrieb H. Nikolaus Schaller <hns at goldelico.com>:
> 
> Hi,
> 
>> Am 24.06.2018 um 09:52 schrieb H. Nikolaus Schaller <hns at goldelico.com>:
>> 
>> Main suspect is the generic-adc-battery driver (although I remember to have seen the
>> strcmp(NULL) once even when blackisting it).
>> 
>> The reason why it is the my main suspect is that the message iio_charge:-747
>> seems to almost always come before platform backlight: Retrying from deferred list
>> (AFAIR in failing and non-failing cases).
>> 
>> But they did not yet confess :)
> 
> well, there is new evidence:
> 
> [    7.479400] really_probe: driver generic-adc-battery
> [    7.484710] gab_probe: properties = ed1fde00
> 
> ^^^ this is a printk for memory block address allocated by
> 
> http://git.goldelico.com/?p=gta04-kernel.git;a=blob;f=drivers/power/supply/generic-adc-battery.c;h=359cc8dac245c071f1ff21b12791ad6c5a9332c4;hb=dca26f608a765008b869991bf29fa241769599fb#l404
> 
> [    7.490631] i2c 1-0030: Retrying from deferred list
> [    7.495849] really_probe: driver ov9655
> [    7.508209] platform backlight: Retrying from deferred list
> [    7.514526] really_probe: driver pwm-backlight
> [    7.524291] pps_core: LinuxPPS API ver. 1 registered
> [    7.532531] pwm-backlight backlight: backlight supply power not found, using dummy regulator
> [    7.545471] (NULL device *): hwmon: 'gta04-battery' is not a valid name attribute, please fix
> [    7.554840] i2c 1-0030: Retrying from deferred list
> [    7.560089] really_probe: driver ov9655
> [    7.570648] platform backlight: Retrying from deferred list
> [    7.583770] really_probe: driver pwm-backlight
> [    7.598083] pinctrl_generic_get_group_name: group ed1fde50 has NULL name
> 
> ^^^ here is the struct group_desc where the group->name magically became NULL
> 
> [    7.605102]   group>name = (null)
> [    7.613464] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti at linux.it>
> [    7.623229]   group>pins = ed1faf10
> [    7.626861]   group>num_pins = 1
> [    7.630340]   group>data = ee444e10
> [    7.633972] pinctrl_generic_group_name_to_selector: pctldev = ee3bb200 function = backlight_pins_pinmux
> [    7.653869] really_probe: driver omap-dmtimer-pwm
> [    7.658966]   strcmp(backlight_pins_pinmux, (null))
> [    7.664062]   get_group_name() = pinctrl_generic_get_group_name+0x0/0xa0
> [    7.682098]   ngroups = 19
> [    7.684936]   selector = 18
> [    7.689056] really_probe: driver connector-analog-tv
> 
> So we have these addresses:
> 
> 	ed1fde00
> 	ed1fde50
> 
> This is just 0x50 bytes apart.
> 
> A write to psy_desc->properties[0x14] = NULL would overwrite ed1fde50->name in this example.

I may have found the final evidence of an out-of-bounds write access (unfortunately not a NULL) in line

http://git.goldelico.com/?p=gta04-kernel.git;a=blob;f=drivers/power/supply/generic-adc-battery.c;h=359cc8dac245c071f1ff21b12791ad6c5a9332c4;hb=dca26f608a765008b869991bf29fa241769599fb#l429

   memcpy(properties + sizeof(*(psy_desc->properties)) * index,

the + of 'properties' and some integer already multiplies the index by sizeof(*properties).

Hence it should IMHO be

   memcpy(properties + index,

or to better describe that memcpy takes an address

   memcpy(&properties[index],

What do you think?

BR,
Nikolaus

> 
> Next I'll add some more printk to study where it is exactly writing to. Maybe one of the
> memcpy address calculations is wrong.
> 
> And I think we should do a code review for the gab driver and the gab_probe() function...
> 
> BR,
> Nikolaus
> 
> 
> _______________________________________________
> http://projects.goldelico.com/p/gta04-kernel/
> Letux-kernel mailing list
> Letux-kernel at openphoenux.org
> http://lists.goldelico.com/mailman/listinfo.cgi/letux-kernel



More information about the Letux-kernel mailing list