AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-06 17:05:18 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
4c0bfeaae9
linux_dsm_epyc7002/drivers/net
History
Tobias Regnery 4c0bfeaae9 brcmsmac: fix array out-of-bounds access in qm_log10 
I get the following UBSAN warning during boot on my laptop:

================================================================================
UBSAN: Undefined behaviour in drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:280:21
index 32 is out of range for type 's16 [32]'
CPU: 0 PID: 879 Comm: NetworkManager Not tainted 4.9.0-rc4 #28
Hardware name: LENOVO Lenovo IdeaPad N581/INVALID, BIOS 5ECN96WW(V9.01) 03/14/2013
ffff8800b74a6478 ffffffff828e59d2 0000000041b58ab3 ffffffff8398330c
ffffffff828e5920 ffff8800b74a64a0 ffff8800b74a6450 0000000000000020
1ffffffff845848c ffffed0016e94bf1 ffffffffc22c2460 000000006b9c0514
Call Trace:
[<ffffffff828e59d2>] dump_stack+0xb2/0x110
[<ffffffff828e5920>] ? _atomic_dec_and_lock+0x150/0x150
[<ffffffff82968c9d>] ubsan_epilogue+0xd/0x4e
[<ffffffff82969875>] __ubsan_handle_out_of_bounds+0xfa/0x13e
[<ffffffff8296977b>] ? __ubsan_handle_shift_out_of_bounds+0x241/0x241
[<ffffffffc0d48379>] ? bcma_host_pci_read16+0x59/0xa0 [bcma]
[<ffffffffc0d48388>] ? bcma_host_pci_read16+0x68/0xa0 [bcma]
[<ffffffffc212ad78>] ? read_phy_reg+0xe8/0x180 [brcmsmac]
[<ffffffffc2184714>] qm_log10+0x2e4/0x350 [brcmsmac]
[<ffffffffc2142eb8>] wlc_phy_init_lcnphy+0x538/0x1f20 [brcmsmac]
[<ffffffffc2142980>] ? wlc_lcnphy_periodic_cal+0x5c0/0x5c0 [brcmsmac]
[<ffffffffc1ba0c93>] ? ieee80211_open+0xb3/0x110 [mac80211]
[<ffffffff82f73a02>] ? sk_busy_loop+0x1e2/0x840
[<ffffffff82f7a6ce>] ? __dev_change_flags+0xae/0x220
...

The report is valid: doing the math in this function, with an input value
N=63 the variable s16tableIndex gets a value of 31. This value is used as
an index in the array log_table with 32 entries. But the next line is:

	s16errorApproximation = (s16) qm_mulu16(u16offset,
				(u16) (log_table[s16tableIndex + 1] -
				       log_table[s16tableIndex]));

With s16tableIndex + 1 we are trying an out-of-bounds access to the array.

The log_table array provides log2 values in q.15 format and the above
statement tries an error approximation with the next value. To fix this
issue add the next value to the array and update the comment accordingly.

Signed-off-by: Tobias Regnery <tobias.regnery@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-25 11:56:34 +02:00
..
appletalk net: deprecate eth_change_mtu, remove usage 2016-10-13 09:36:57 -04:00
arcnet
bonding net: bonding: Flip to the new dev walk API 2016-10-18 11:44:58 -04:00
caif virtio/vhost: new features for 4.8 2016-08-06 09:20:13 -04:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
cris net: deprecate eth_change_mtu, remove usage 2016-10-13 09:36:57 -04:00
dsa net: dsa: mv88e6xxx: use setup_timer to simplify the code 2016-10-26 17:21:59 -04:00
ethernet net: netcp: add missing of_node_put() in netcp_probe() 2016-10-26 17:21:59 -04:00
fddi net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
fjes net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
hamradio 6pack: fix buffer length mishandling 2016-09-20 22:51:30 -04:00
hippi net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
hyperv hv_netvsc: fix a race between netvsc_send() and netvsc_init_buf() 2016-10-21 11:27:31 -04:00
ieee802154 fakelb: fix schedule while atomic 2016-09-19 20:19:34 +02:00
ipvlan ipvlan: constify l3mdev_ops structure 2016-10-15 17:49:57 -04:00
irda
phy net: phy: broadcom: Add support for BCM54612E 2016-10-26 17:15:26 -04:00
plip net: deprecate eth_change_mtu, remove usage 2016-10-13 09:36:57 -04:00
ppp ppp: declare PPP devices as LLTX 2016-08-31 14:33:09 -07:00
slip net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
team team: loadbalance: push lacpdus to exact delivery 2016-08-26 13:08:59 -07:00
usb net: use core MTU range checking in USB NIC drivers 2016-10-20 14:51:08 -04:00
vmxnet3 net: use core MTU range checking in virt drivers 2016-10-20 14:51:09 -04:00
wan net: use core MTU range checking in WAN drivers 2016-10-20 14:51:09 -04:00
wimax net: use core MTU range checking in wireless drivers 2016-10-20 14:51:08 -04:00
wireless brcmsmac: fix array out-of-bounds access in qm_log10 2016-11-25 11:56:34 +02:00
xen-netback net: use core MTU range checking in virt drivers 2016-10-20 14:51:09 -04:00
dummy.c
eql.c
geneve.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
gtp.c
ifb.c
Kconfig ipvlan: Fix dependency issue 2016-09-20 22:55:23 -04:00
LICENSE.SRC
loopback.c
macsec.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
macvlan.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
macvtap.c macvtap: fix use after free for skb_array during release 2016-08-11 09:55:51 -07:00
Makefile
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
rionet.c net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
sb1000.c net: deprecate eth_change_mtu, remove usage 2016-10-13 09:36:57 -04:00
Space.c
sungem_phy.c
tun.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
veth.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
virtio_net.c net: use core MTU range checking in virt drivers 2016-10-20 14:51:09 -04:00
vrf.c net: vrf: Remove RT_FL_TOS 2016-09-17 10:05:05 -04:00
vxlan.c net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
xen-netfront.c net: use core MTU range checking in virt drivers 2016-10-20 14:51:09 -04:00