Jisoo Jang
683b9728f2
wifi: brcmfmac: Fix potential NULL pointer dereference in 'brcmf_c_preinit_dcmds()'
This patch fixes a NULL pointer dereference bug in brcmfmac that occurs
when ptr which is NULL pointer passed as an argument of strlcpy() in
brcmf_c_preinit_dcmds(). This happens when the driver passes a firmware
version string that does not contain a space " ", making strrchr()
return a null pointer. This patch adds a null pointer check.
Found by a modified version of syzkaller.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1983 Comm: kworker/0:2 Not tainted 5.14.0+ #79
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:strlen+0x1a/0x90
Code: 23 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 b8 00 00 00 00
00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04
02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00
RSP: 0018:ffffc90002bfedd8 EFLAGS: 00010296
RAX: dffffc0000000000 RBX: 1ffff9200057fdc1 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000039 R09: ffffed1023549801
R10: ffff88811aa4c007 R11: ffffed1023549800 R12: ffff88800bc68d6c
R13: ffffc90002bfef08 R14: ffff88800bc6bc7c R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020546180 CR3: 0000000117ff1000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
brcmf_c_preinit_dcmds+0x9f2/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1703/0x1dd0
? kmemdup+0x43/0x50
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x2aa/0x760
? usb_probe_device+0x250/0x250
really_probe+0x205/0xb70
? driver_allows_async_probing+0x130/0x130
__driver_probe_device+0x311/0x4b0
? driver_allows_async_probing+0x130/0x130
driver_probe_device+0x4e/0x150
__device_attach_driver+0x1cc/0x2a0
bus_for_each_drv+0x156/0x1d0
? bus_rescan_devices+0x30/0x30
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x46/0x160
__device_attach+0x23f/0x3a0
? device_bind_driver+0xd0/0xd0
? kobject_uevent_env+0x287/0x14b0
bus_probe_device+0x1da/0x290
device_add+0xb7b/0x1eb0
? wait_for_completion+0x290/0x290
? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
usb_set_configuration+0xf59/0x16f0
usb_generic_driver_probe+0x82/0xa0
usb_probe_device+0xbb/0x250
? usb_suspend+0x590/0x590
really_probe+0x205/0xb70
? driver_allows_async_probing+0x130/0x130
__driver_probe_device+0x311/0x4b0
? usb_generic_driver_match+0x75/0x90
? driver_allows_async_probing+0x130/0x130
driver_probe_device+0x4e/0x150
__device_attach_driver+0x1cc/0x2a0
bus_for_each_drv+0x156/0x1d0
? bus_rescan_devices+0x30/0x30
? _raw_spin_unlock_irqrestore+0x47/0x50
__device_attach+0x23f/0x3a0
? device_bind_driver+0xd0/0xd0
? kobject_uevent_env+0x287/0x14b0
bus_probe_device+0x1da/0x290
device_add+0xb7b/0x1eb0
? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
? kfree+0x14a/0x6b0
? __usb_get_extra_descriptor+0x116/0x160
usb_new_device.cold+0x49c/0x1029
? hub_disconnect+0x450/0x450
? rwlock_bug.part.0+0x90/0x90
? _raw_spin_unlock_irq+0x24/0x30
? lockdep_hardirqs_on_prepare+0x273/0x3e0
hub_event+0x248b/0x31c9
? usb_port_suspend.cold+0x139/0x139
? check_irq_usage+0x861/0xf20
? drain_workqueue+0x280/0x360
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x92b/0x1460
? pwq_dec_nr_in_flight+0x330/0x330
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x95/0xe00
? __kthread_parkme+0x115/0x1e0
? process_one_work+0x1460/0x1460
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
Modulesdd linked in:
---[ end trace c112c68924ddd800 ]---
RIP: 0010:strlen+0x1a/0x90
Code: 23 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 b8 00 00 00 00
00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04
02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00
RSP: 0018:ffffc90002bfedd8 EFLAGS: 00010296
RAX: dffffc0000000000 RBX: 1ffff9200057fdc1 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000039 R09: ffffed1023549801
R10: ffff88811aa4c007 R11: ffffed1023549800 R12: ffff88800bc68d6c
R13: ffffc90002bfef08 R14: ffff88800bc6bc7c R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020546180 CR3: 0000000117ff1000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221101183642.166450-1-jisoo.jang@yonsei.ac.kr
2022-11-04 13:01:02 +02:00
..
2022-10-25 12:05:08 -07:00
2022-10-10 09:10:28 -07:00
2022-10-18 08:02:14 +09:00
2022-10-12 10:23:24 -07:00
2022-11-04 12:59:51 +02:00
2022-10-21 15:14:14 -07:00
2022-10-08 08:56:37 -07:00
2022-10-17 10:20:04 -07:00
2022-10-16 11:08:19 -07:00
2022-10-10 10:16:00 -07:00
2022-10-08 09:46:29 -07:00
2022-10-18 16:22:26 +05:30
2022-10-09 13:24:01 -07:00
2022-10-10 13:04:25 -07:00
2022-10-14 18:41:41 -07:00
2022-09-26 03:59:43 +09:00
2022-10-11 17:42:58 -06:00
2022-10-06 17:22:11 -07:00
2022-10-13 11:07:13 -07:00
2022-10-08 08:56:37 -07:00
2022-10-21 11:09:41 +02:00
2022-10-08 08:56:37 -07:00
2022-09-28 21:10:57 +09:30
2022-10-12 10:23:24 -07:00
2022-10-21 12:33:03 -07:00
2022-10-21 17:41:57 -07:00
2022-10-10 13:59:01 -07:00
2022-10-23 10:01:34 -07:00
2022-10-08 08:56:37 -07:00
2022-10-21 07:59:35 +02:00
2022-10-12 23:45:29 +02:00
2022-10-08 08:56:37 -07:00
2022-10-11 17:42:58 -06:00
2022-10-11 10:53:25 -07:00
2022-10-21 10:49:35 +02:00
2022-10-08 08:56:37 -07:00
2022-10-12 10:23:24 -07:00
2022-10-09 19:11:54 +01:00
2022-10-24 11:32:10 +02:00
2022-10-09 14:05:15 -07:00
2022-10-05 21:51:58 -05:00
2022-10-18 17:17:48 -04:00
2022-10-25 16:43:34 +01:00
2022-10-23 12:04:56 -07:00
2022-10-11 17:42:58 -06:00
2022-10-16 15:27:07 -07:00
2022-10-16 15:27:07 -07:00
2022-11-04 13:01:02 +02:00
2022-10-28 11:27:59 +01:00
2022-10-14 18:41:41 -07:00
2022-10-21 15:14:14 -07:00
2022-09-24 14:56:37 +02:00
2022-10-10 13:13:51 -07:00
2022-10-14 12:10:01 -07:00
2022-10-17 12:11:09 -05:00
2022-09-27 08:12:16 +02:00
2022-10-14 12:38:03 -07:00
2022-10-11 11:08:18 -07:00
2022-10-18 10:42:10 +02:00
2022-10-24 11:39:27 +02:00
2022-10-10 18:11:11 +02:00
2022-10-07 11:48:30 -07:00
2022-10-10 09:10:28 -07:00
2022-10-24 13:10:40 +01:00
2022-10-07 11:32:10 -07:00
2022-10-07 11:24:20 -07:00
2022-10-05 09:20:44 -06:00
2022-10-08 10:06:48 -07:00
2022-10-14 18:36:42 -07:00
2022-10-14 11:36:05 -07:00
2022-10-25 00:33:16 -07:00
2022-09-24 14:53:06 +02:00
2022-10-13 11:07:13 -07:00
2022-10-07 16:13:55 -07:00
2022-10-26 17:38:46 -07:00
2022-09-30 14:33:23 +02:00
2022-10-28 18:31:40 -07:00
2022-10-11 17:42:58 -06:00
2022-10-10 17:53:04 -07:00
2022-10-15 19:33:57 +02:00
2022-10-11 17:42:58 -06:00
2022-10-14 12:10:01 -07:00
2022-10-07 12:33:18 -07:00
2022-10-10 17:53:04 -07:00
2022-10-10 14:02:53 -07:00
2022-10-12 14:46:48 -07:00
2022-10-10 14:02:53 -07:00
2022-10-16 15:27:07 -07:00
2022-10-08 08:56:37 -07:00
2022-10-13 09:33:03 -04:00
2022-10-08 08:56:37 -07:00
2022-10-21 12:25:39 -07:00
2022-10-21 14:43:09 -07:00