Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Disclosure

Date Detail
04/23/2018 reported to Samsung
08/01/2018 vulnerability confirmed and assigned SVE-2018-11783, rated Low
08/02/2018 assigned CVE-2018-14853
12/07/2018 CVE description published https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14853

Affected Product

Samsung Galaxy S6 (SM-G920F), Firmware Version G920FXXU5EQH7

Vulnerability

A potential null pointer dereference at drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:3138

3116 /* called with a lock */
3117 void BCMFASTPATH
3118 dhd_prot_txdata_write_flush(dhd_pub_t *dhd, uint16 flowid, bool in_lock)
3119 {
3120 #ifdef TXP_FLUSH_NITEMS
3121    unsigned long flags = 0;
3122    flow_ring_table_t *flow_ring_table;
3123    flow_ring_node_t *flow_ring_node;
3124    msgbuf_ring_t *msg_ring;
3125 
3126    if (!dhd->flow_ring_table)
3127       return;
3128 
3129    if (!in_lock) {
3130       DHD_GENERAL_LOCK(dhd, flags);
3131    }
3132 
3133    flow_ring_table = (flow_ring_table_t *)dhd->flow_ring_table;
3134    flow_ring_node = (flow_ring_node_t *)&flow_ring_table[flowid];
3135    msg_ring = (msgbuf_ring_t *)flow_ring_node->prot_info;
3136 
3137    /* Update the write pointer in TCM & ring bell */
3138    if (msg_ring->pend_items_count) {
3139       prot_ring_write_complete(dhd, msg_ring, msg_ring->start_addr,
3140          msg_ring->pend_items_count);
3141       msg_ring->pend_items_count = 0;
3142       msg_ring->start_addr = NULL;
3143    }
3144 
3145    if (!in_lock) {
3146       DHD_GENERAL_UNLOCK(dhd, flags);
3147    }
3148 #endif /* TXP_FLUSH_NITEMS */
3149 }

Analysis

In line drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:4580 below the variable flow_create_resp is initialized as a pointer to memory that can be modified by the attacker on WiFi SoC.

4577 static void
4578 dhd_prot_process_flow_ring_create_response(dhd_pub_t *dhd, void* buf, uint16 msglen)
4579 {
4580    tx_flowring_create_response_t *flow_create_resp = (tx_flowring_create_response_t *)buf;
4581

The field prot_info of the data structure flow_ring_node_t is initialized by the function dhd_prot_flow_ring_create, an attacker is able to provide a value for the parameter flowid which is within the bounds of the flow_ring_table array but points to an uninitialized entry.

Kernel Trace

<4>[  131.180195] I[0:      swapper/0:    0] ------------[ cut here ]------------
<2>[  131.180209] I[0:      swapper/0:    0] Kernel BUG at ffffffc0008d0fdc [verbose debug info unavailable]
<0>[  131.180223] I[0:      swapper/0:    0] Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP
<4>[  131.180239] I[0:      swapper/0:    0] Modules linked in:
<0>[  131.180257] I[0:      swapper/0:    0] exynos-snapshot: core register saved(CPU:0)
<0>[  131.180270] I[0:      swapper/0:    0] CPUMERRSR: 0000000000000000, L2MERRSR: 0000000000000000
<0>[  131.180282] I[0:      swapper/0:    0] exynos-snapshot: context saved(CPU:0)
<6>[  131.180356] I[0:      swapper/0:    0] exynos-snapshot: item - log_kevents is disabled
<4>[  131.180407] I[0:      swapper/0:    0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W    3.10.61-TeamNexus-gb11c661e30ff #763
<4>[  131.180426] I[0:      swapper/0:    0] task: ffffffc0016e8830 ti: ffffffc0016dc000 task.ti: ffffffc0016dc000
<4>[  131.180454] I[0:      swapper/0:    0] PC is at dhd_prot_txdata_write_flush+0x84/0x1c0
<4>[  131.180467] I[0:      swapper/0:    0] LR is at dhd_prot_txdata_write_flush+0x74/0x1c0
<4>[  131.180481] I[0:      swapper/0:    0] pc : [<ffffffc0008d0fdc>] lr : [<ffffffc0008d0fcc>] pstate: 600000c5
<4>[  131.180493] I[0:      swapper/0:    0] sp : ffffffc0016df960
<4>[  131.180506] I[0:      swapper/0:    0] x29: ffffffc0016df960 x28: 0000000000000040
<4>[  131.180523] I[0:      swapper/0:    0] x27: ffffffc00155a000 x26: ffffffc000f50f50
<4>[  131.180536] I[0:      swapper/0:    0] x25: ffffffc095102010 x24: ffffffc0950ca000
<4>[  131.180551] I[0:      swapper/0:    0] x23: 00000000000000c0 x22: 0000000000000000
<4>[  131.180563] I[0:      swapper/0:    0] x21: ffffffc095102000 x20: 0000000000000000
<4>[  131.180577] I[0:      swapper/0:    0] x19: ffffffc0950c8000 x18: 000000000000000a
<4>[  131.180590] I[0:      swapper/0:    0] x17: 0000000000000000 x16: 0000000000000000
<4>[  131.180603] I[0:      swapper/0:    0] x15: 000000000000fffe x14: 0000000000000002
<4>[  131.180616] I[0:      swapper/0:    0] x13: 0000000000000000 x12: 0000000000000001
<4>[  131.180630] I[0:      swapper/0:    0] x11: ffffffc0016df9f0 x10: ffffffc0016df940
<4>[  131.180643] I[0:      swapper/0:    0] x9 : 7f7f7f7f7f7f7f7f x8 : 3d20737574617473
<4>[  131.180657] I[0:      swapper/0:    0] x7 : 2065736e6f707365 x6 : ffffffc0016df941
<4>[  131.180669] I[0:      swapper/0:    0] x5 : 000000000000ffff x4 : 000000000000ffff
<4>[  131.180683] I[0:      swapper/0:    0] x3 : 00fffdb354932afc x2 : ffffff80078f0000
<4>[  131.180696] I[0:      swapper/0:    0] x1 : 000000000000000b x0 : 00000000000000c0
<4>[  131.180710] I[0:      swapper/0:    0]
<4>[  131.180710] I[0:      swapper/0:    0] PC: 0xffffffc0008d0f5c:
<4>[  131.180730] I[0:      swapper/0:    0] 0f5c  910003fd a90153f3 aa0003f3 a9025bf5 12003c35 12001c56 97e81589 f9573a74
<4>[  131.180757] I[0:      swapper/0:    0] 0f7c  b4000194 f9001bb7 97e81585 52800d00 9ba07eb5 34000196 8b150294 97e81580
<4>[  131.180780] I[0:      swapper/0:    0] 0f9c  f9402e94 79408280 35000920 f9401bb7 97e8157b a94153f3 a9425bf5 a8c67bfd
<4>[  131.180802] I[0:      swapper/0:    0] 0fbc  d65f03c0 97e81576 aa1303e0 97fd86c0 f9573a74 aa0003f7 8b150295 f9402eb4
<4>[  131.180825] I[0:      swapper/0:    0] 0fdc  79408280 34000380 a903e7b8 f90027ba 97e8156b 79400698 91400a60 f9400a79
<4>[  131.180848] I[0:      swapper/0:    0] 0ffc  f9402a9a 397aa800 350003a0 97e81564 f9400660 2a1803e4 52800203 52800042
<4>[  131.180870] I[0:      swapper/0:    0] 101c  91001341 97ffb534 97e8155d f9402a81 f9400660 f9404b22 79400821 d63f0040
<4>[  131.180893] I[0:      swapper/0:    0] 103c  7900829f f9001e9f 35000636 a943e7b8 f94027ba 97e81552 aa1703e1 aa1303e0
<4>[  131.180918] I[0:      swapper/0:    0]
<4>[  131.180918] I[0:      swapper/0:    0] LR: 0xffffffc0008d0f4c:
<4>[  131.180936] I[0:      swapper/0:    0] 0f4c  9131e000 9416c3f5 17ffffa5 a9ba7bfd 910003fd a90153f3 aa0003f3 a9025bf5
<4>[  131.180958] I[0:      swapper/0:    0] 0f6c  12003c35 12001c56 97e81589 f9573a74 b4000194 f9001bb7 97e81585 52800d00
<4>[  131.180980] I[0:      swapper/0:    0] 0f8c  9ba07eb5 34000196 8b150294 97e81580 f9402e94 79408280 35000920 f9401bb7
<4>[  131.181002] I[0:      swapper/0:    0] 0fac  97e8157b a94153f3 a9425bf5 a8c67bfd d65f03c0 97e81576 aa1303e0 97fd86c0
<4>[  131.181024] I[0:      swapper/0:    0] 0fcc  f9573a74 aa0003f7 8b150295 f9402eb4 79408280 34000380 a903e7b8 f90027ba
<4>[  131.181047] I[0:      swapper/0:    0] 0fec  97e8156b 79400698 91400a60 f9400a79 f9402a9a 397aa800 350003a0 97e81564
<4>[  131.181069] I[0:      swapper/0:    0] 100c  f9400660 2a1803e4 52800203 52800042 91001341 97ffb534 97e8155d f9402a81
<4>[  131.181091] I[0:      swapper/0:    0] 102c  f9400660 f9404b22 79400821 d63f0040 7900829f f9001e9f 35000636 a943e7b8
<4>[  131.181115] I[0:      swapper/0:    0]
<4>[  131.181115] I[0:      swapper/0:    0] SP: 0xffffffc0016df8e0:
<4>[  131.181134] I[0:      swapper/0:    0] f8e0  00000000 00000000 95102000 ffffffc0 00000000 00000000 000000c0 00000000
<4>[  131.181155] I[0:      swapper/0:    0] f900  950ca000 ffffffc0 95102010 ffffffc0 00f50f50 ffffffc0 0155a000 ffffffc0
<4>[  131.181177] I[0:      swapper/0:    0] f920  00000040 00000000 016df960 ffffffc0 008d0fcc ffffffc0 016df960 ffffffc0
<4>[  131.181200] I[0:      swapper/0:    0] f940  008d0fdc ffffffc0 600000c5 00000000 950c8000 ffffffc0 008d0fc4 ffffffc0
<4>[  131.181223] I[0:      swapper/0:    0] f960  016df9c0 ffffffc0 008c256c ffffffc0 00000000 00000000 95102000 ffffffc0
<4>[  131.181245] I[0:      swapper/0:    0] f980  98055000 ffffffc0 00000000 00000000 0192d000 ffffffc0 008c24e0 ffffffc0
<4>[  131.181267] I[0:      swapper/0:    0] f9a0  00000000 00000000 95102000 ffffffc0 016df9c0 ffffffc0 008c255c ffffffc0
<4>[  131.181290] I[0:      swapper/0:    0] f9c0  016dfa30 ffffffc0 008c9034 ffffffc0 0001b160 ffffff80 00000000 00000000
<4>[  131.181316] I[0:      swapper/0:    0]
<4>[  131.181316] I[0:      swapper/0:    0] X6: 0xffffffc0016df8c1:
<4>[  131.181335] I[0:      swapper/0:    0] f8c0  00000000 00000000 00000000 00000000 0000000a 00000000 950c8000 ffffffc0
<4>[  131.181356] I[0:      swapper/0:    0] f8e0  00000000 00000000 95102000 ffffffc0 00000000 00000000 000000c0 00000000
<4>[  131.181378] I[0:      swapper/0:    0] f900  950ca000 ffffffc0 95102010 ffffffc0 00f50f50 ffffffc0 0155a000 ffffffc0
<4>[  131.181401] I[0:      swapper/0:    0] f920  00000040 00000000 016df960 ffffffc0 008d0fcc ffffffc0 016df960 ffffffc0
<4>[  131.181423] I[0:      swapper/0:    0] f940  008d0fdc ffffffc0 600000c5 00000000 950c8000 ffffffc0 008d0fc4 ffffffc0
<4>[  131.181445] I[0:      swapper/0:    0] f960  016df9c0 ffffffc0 008c256c ffffffc0 00000000 00000000 95102000 ffffffc0
<4>[  131.181468] I[0:      swapper/0:    0] f980  98055000 ffffffc0 00000000 00000000 0192d000 ffffffc0 008c24e0 ffffffc0
<4>[  131.181490] I[0:      swapper/0:    0] f9a0  00000000 00000000 95102000 ffffffc0 016df9c0 ffffffc0 008c255c ffffffc0
<4>[  131.181512] I[0:      swapper/0:    0] f9c0  016dfa30 ffffffc0 008c9034 ffffffc0 0001b160 ffffff80 00000000 00000000
<4>[  131.181537] I[0:      swapper/0:    0]
<4>[  131.181537] I[0:      swapper/0:    0] X10: 0xffffffc0016df8c0:
<4>[  131.181556] I[0:      swapper/0:    0] f8c0  00000000 00000000 00000000 00000000 0000000a 00000000 950c8000 ffffffc0
<4>[  131.181578] I[0:      swapper/0:    0] f8e0  00000000 00000000 95102000 ffffffc0 00000000 00000000 000000c0 00000000
<4>[  131.181600] I[0:      swapper/0:    0] f900  950ca000 ffffffc0 95102010 ffffffc0 00f50f50 ffffffc0 0155a000 ffffffc0
<4>[  131.181622] I[0:      swapper/0:    0] f920  00000040 00000000 016df960 ffffffc0 008d0fcc ffffffc0 016df960 ffffffc0
<4>[  131.181644] I[0:      swapper/0:    0] f940  008d0fdc ffffffc0 600000c5 00000000 950c8000 ffffffc0 008d0fc4 ffffffc0
<4>[  131.181667] I[0:      swapper/0:    0] f960  016df9c0 ffffffc0 008c256c ffffffc0 00000000 00000000 95102000 ffffffc0
<4>[  131.181689] I[0:      swapper/0:    0] f980  98055000 ffffffc0 00000000 00000000 0192d000 ffffffc0 008c24e0 ffffffc0
<4>[  131.181710] I[0:      swapper/0:    0] f9a0  00000000 00000000 95102000 ffffffc0 016df9c0 ffffffc0 008c255c ffffffc0
<4>[  131.181735] I[0:      swapper/0:    0]
<4>[  131.181735] I[0:      swapper/0:    0] X11: 0xffffffc0016df970:
<4>[  131.181754] I[0:      swapper/0:    0] f970  00000000 00000000 95102000 ffffffc0 98055000 ffffffc0 00000000 00000000
<4>[  131.181775] I[0:      swapper/0:    0] f990  0192d000 ffffffc0 008c24e0 ffffffc0 00000000 00000000 95102000 ffffffc0
<4>[  131.181797] I[0:      swapper/0:    0] f9b0  016df9c0 ffffffc0 008c255c ffffffc0 016dfa30 ffffffc0 008c9034 ffffffc0
<4>[  131.181820] I[0:      swapper/0:    0] f9d0  0001b160 ffffff80 00000000 00000000 00000000 00000000 950c8000 ffffffc0
<4>[  131.181842] I[0:      swapper/0:    0] f9f0  008c8ff0 ffffffc0 00000010 00000000 98060000 ffffffc0 0192d000 ffffffc0
<4>[  131.181865] I[0:      swapper/0:    0] fa10  00000010 00000000 0001b160 ffffff80 016dfa30 ffffffc0 0155ae40 ffffffc0
<4>[  131.181887] I[0:      swapper/0:    0] fa30  016dfa60 ffffffc0 008cab08 ffffffc0 00000010 00000000 950c8000 ffffffc0
<4>[  131.181910] I[0:      swapper/0:    0] fa50  00000010 00000000 0001b160 ffffff80 016dfb00 ffffffc0 008d001c ffffffc0
<4>[  131.181937] I[0:      swapper/0:    0]
<4>[  131.181937] I[0:      swapper/0:    0] X19: 0xffffffc0950c7f80:
<4>[  131.181956] I[0:      swapper/0:    0] 7f80  72656472 30206465 2f0a3020 2f766564 636f6c62 6c702f6b 6f667461 312f6d72
<4>[  131.181978] I[0:      swapper/0:    0] 7fa0  30373535 2e303030 2f736675 6e2d7962 2f656d61 48434143 632f2045 65686361
<4>[  131.182000] I[0:      swapper/0:    0] 7fc0  74786520 77722034 6365732c 6562616c 6f6e2c6c 64697573 646f6e2c 6e2c7665
<4>[  131.182023] I[0:      swapper/0:    0] 7fe0  6974616f 642c656d 61637369 6e2c6472 7475616f 61645f6f 6c6c615f 652c636f
<4>[  131.182046] I[0:      swapper/0:    0] 8000  9fadff00 ffffffc0 98055000 ffffffc0 950c0000 ffffffc0 950c8000 ffffffc0
<4>[  131.182068] I[0:      swapper/0:    0] 8020  00000001 002c002c 00000000 00000002 00000000 00000000 000005ea 00000100
<4>[  131.182100] I[0:      swapper/0:    0] 8040  00000000 00000000 798b50e8 00007dea 00000000 00000000 00000000 00000000
<4>[  131.182291] I[0:      swapper/0:    0] 8060  000219a2 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182316] I[0:      swapper/0:    0]
<4>[  131.182316] I[0:      swapper/0:    0] X21: 0xffffffc095101f80:
<4>[  131.182335] I[0:      swapper/0:    0] 1f80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182358] I[0:      swapper/0:    0] 1fa0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182381] I[0:      swapper/0:    0] 1fc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182404] I[0:      swapper/0:    0] 1fe0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182426] I[0:      swapper/0:    0] 2000  95102000 ffffffc0 95102000 ffffffc0 95102010 ffffffc0 95102010 ffffffc0
<4>[  131.182450] I[0:      swapper/0:    0] 2020  00000000 00000000 00000000 00000000 07ff0000 00000000 008c6728 ffffffc0
<4>[  131.182474] I[0:      swapper/0:    0] 2040  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182498] I[0:      swapper/0:    0] 2060  5f60b480 ffffffc0 95102068 ffffffc0 95102068 ffffffc0 95102078 ffffffc0
<4>[  131.182523] I[0:      swapper/0:    0]
<4>[  131.182523] I[0:      swapper/0:    0] X24: 0xffffffc0950c9f80:
<4>[  131.182542] I[0:      swapper/0:    0] 9f80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182565] I[0:      swapper/0:    0] 9fa0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182588] I[0:      swapper/0:    0] 9fc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182611] I[0:      swapper/0:    0] 9fe0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182634] I[0:      swapper/0:    0] a000  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182657] I[0:      swapper/0:    0] a020  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182679] I[0:      swapper/0:    0] a040  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182702] I[0:      swapper/0:    0] a060  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182726] I[0:      swapper/0:    0]
<4>[  131.182726] I[0:      swapper/0:    0] X25: 0xffffffc095101f90:
<4>[  131.182745] I[0:      swapper/0:    0] 1f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182768] I[0:      swapper/0:    0] 1fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182791] I[0:      swapper/0:    0] 1fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.182814] I[0:      swapper/0:    0] 1ff0  00000000 00000000 00000000 00000000 95102000 ffffffc0 95102000 ffffffc0
<4>[  131.182837] I[0:      swapper/0:    0] 2010  95102010 ffffffc0 95102010 ffffffc0 00000000 00000000 00000000 00000000
<4>[  131.182861] I[0:      swapper/0:    0] 2030  07ff0000 00000000 008c6728 ffffffc0 00000000 00000000 00000000 00000000
<4>[  131.182883] I[0:      swapper/0:    0] 2050  00000000 00000000 00000000 00000000 5f60b480 ffffffc0 95102068 ffffffc0
<4>[  131.182907] I[0:      swapper/0:    0] 2070  95102068 ffffffc0 95102078 ffffffc0 95102078 ffffffc0 00000000 00000000
<4>[  131.182933] I[0:      swapper/0:    0]
<4>[  131.182933] I[0:      swapper/0:    0] X26: 0xffffffc000f50ed0:
<4>[  131.182951] I[0:      swapper/0:    0] 0ed0  6468645f 65696370 776f645f 616f6c6e 69665f64 61776d72 00006572 00000000
<4>[  131.182976] I[0:      swapper/0:    0] 0ef0  70646864 5f656963 6e776f64 64616f6c 646f635f 69665f65 0000656c 00000000
<4>[  131.182999] I[0:      swapper/0:    0] 0f10  70646864 5f656963 6e776f64 64616f6c 72766e5f 00006d61 5f646864 5f737562
<4>[  131.183022] I[0:      swapper/0:    0] 0f30  74637872 0000006c 5f646864 5f737562 5f6d656d 706d7564 00000000 00000000
<4>[  131.183046] I[0:      swapper/0:    0] 0f50  5f646864 5f737562 65686373 656c7564 6575715f 00006575 5f646864 5f737562
<4>[  131.183069] I[0:      swapper/0:    0] 0f70  61647874 00006174 70646864 5f656963 5f737562 70737573 00646e65 00000000
<4>[  131.183093] I[0:      swapper/0:    0] 0f90  70646864 5f656963 5f737562 6f696f64 00726176 00000000 70646864 5f656963
<4>[  131.183116] I[0:      swapper/0:    0] 0fb0  5f737562 6162706c 725f6b63 00007165 70646864 5f656963 5f737562 78616d64
<4>[  131.183142] I[0:      swapper/0:    0]
<4>[  131.183142] I[0:      swapper/0:    0] X27: 0xffffffc001559f80:
<4>[  131.183161] I[0:      swapper/0:    0] 9f80  20414d44 6f205852 65736666 72662074 73206d6f 65726168 72412064 25206165
<4>[  131.183185] I[0:      swapper/0:    0] 9fa0  00000a64 00000000 203a7325 65696370 6168735f 20646572 73726576 206e6f69
<4>[  131.183208] I[0:      swapper/0:    0] 9fc0  69206425 6864206e 73692064 646c6f20 74207265 206e6168 65696370 5f766564
<4>[  131.183232] I[0:      swapper/0:    0] 9fe0  72616873 76206465 69737265 25206e6f 6e692064 6e6f6420 0a656c67 00000000
<4>[  131.183256] I[0:      swapper/0:    0] a000  2d737562 6d78743e 5f65646f 68737570 20736920 20746573 25206f74 00000a64
<4>[  131.183279] I[0:      swapper/0:    0] a020  203a7325 74736f48 70757320 74726f70 414d4420 20676e69 69646e69 3a736563
<4>[  131.183302] I[0:      swapper/0:    0] a040  44324820 2064253a 3244202d 64253a48 5746202e 70757320 74726f70 74692073
<4>[  131.183326] I[0:      swapper/0:    0] a060  0000000a 00000000 203a7325 74736f48 70757320 74726f70 4d442073 676e6941
<4>[  131.183352] I[0:      swapper/0:    0]
<4>[  131.183352] I[0:      swapper/0:    0] X29: 0xffffffc0016df8e0:
<4>[  131.183370] I[0:      swapper/0:    0] f8e0  00000000 00000000 95102000 ffffffc0 00000000 00000000 000000c0 00000000
<4>[  131.183393] I[0:      swapper/0:    0] f900  950ca000 ffffffc0 95102010 ffffffc0 00f50f50 ffffffc0 0155a000 ffffffc0
<4>[  131.183416] I[0:      swapper/0:    0] f920  00000040 00000000 016df960 ffffffc0 008d0fcc ffffffc0 016df960 ffffffc0
<4>[  131.183440] I[0:      swapper/0:    0] f940  008d0fdc ffffffc0 600000c5 00000000 950c8000 ffffffc0 008d0fc4 ffffffc0
<4>[  131.183463] I[0:      swapper/0:    0] f960  016df9c0 ffffffc0 008c256c ffffffc0 00000000 00000000 95102000 ffffffc0
<4>[  131.183486] I[0:      swapper/0:    0] f980  98055000 ffffffc0 00000000 00000000 0192d000 ffffffc0 008c24e0 ffffffc0
<4>[  131.183510] I[0:      swapper/0:    0] f9a0  00000000 00000000 95102000 ffffffc0 016df9c0 ffffffc0 008c255c ffffffc0
<4>[  131.183533] I[0:      swapper/0:    0] f9c0  016dfa30 ffffffc0 008c9034 ffffffc0 0001b160 ffffff80 00000000 00000000
<4>[  131.183556] I[0:      swapper/0:    0]
<0>[  131.183570] I[0:      swapper/0:    0] Process swapper/0 (pid: 0, stack limit = 0xffffffc0016dc058)
<0>[  131.183587] I[0:      swapper/0:    0] Stack: (0xffffffc0016df960 to 0xffffffc0016e0000)
<0>[  131.183605] I[0:      swapper/0:    0] f960: 016df9c0 ffffffc0 008c256c ffffffc0 00000000 00000000 95102000 ffffffc0
<0>[  131.183623] I[0:      swapper/0:    0] f980: 98055000 ffffffc0 00000000 00000000 0192d000 ffffffc0 008c24e0 ffffffc0
<0>[  131.183641] I[0:      swapper/0:    0] f9a0: 00000000 00000000 95102000 ffffffc0 016df9c0 ffffffc0 008c255c ffffffc0
<0>[  131.183659] I[0:      swapper/0:    0] f9c0: 016dfa30 ffffffc0 008c9034 ffffffc0 0001b160 ffffff80 00000000 00000000
<0>[  131.183677] I[0:      swapper/0:    0] f9e0: 00000000 00000000 950c8000 ffffffc0 008c8ff0 ffffffc0 00000010 00000000
<0>[  131.183694] I[0:      swapper/0:    0] fa00: 98060000 ffffffc0 0192d000 ffffffc0 00000010 00000000 0001b160 ffffff80
<0>[  131.183712] I[0:      swapper/0:    0] fa20: 016dfa30 ffffffc0 0155ae40 ffffffc0 016dfa60 ffffffc0 008cab08 ffffffc0
<0>[  131.183730] I[0:      swapper/0:    0] fa40: 00000010 00000000 950c8000 ffffffc0 00000010 00000000 0001b160 ffffff80
<0>[  131.183748] I[0:      swapper/0:    0] fa60: 016dfb00 ffffffc0 008d001c ffffffc0 00000010 00000000 98060000 ffffffc0
<0>[  131.183767] I[0:      swapper/0:    0] fa80: 950c8000 ffffffc0 950c0000 ffffffc0 0001b160 ffffff80 b3a7ad00 ffffffc0
<0>[  131.183784] I[0:      swapper/0:    0] faa0: 00000000 00000000 950ca000 ffffffc0 00000400 00000000 00000317 00000000
<0>[  131.183802] I[0:      swapper/0:    0] fac0: 00000003 00000000 00f516f8 ffffffc0 950c8000 ffffffc0 0155d190 ffffffc0
<0>[  131.183820] I[0:      swapper/0:    0] fae0: 00000000 ffffffc0 00000029 00000010 950c0000 ffffffc0 00f51928 ffffffc0
<0>[  131.183839] I[0:      swapper/0:    0] fb00: 016dfb80 ffffffc0 008ba240 ffffffc0 98055010 ffffffc0 98055000 ffffffc0
<0>[  131.183856] I[0:      swapper/0:    0] fb20: 019367d0 ffffffc0 950c8000 ffffffc0 98055010 ffffffc0 00000000 00000000
<0>[  131.183873] I[0:      swapper/0:    0] fb40: 016e20b0 ffffffc0 01a46000 ffffffc0 01c52000 ffffffc0 00000001 00000000
<0>[  131.183891] I[0:      swapper/0:    0] fb60: 00f51b90 ffffffc0 00f516f8 ffffffc0 016dfb80 00000040 0192de00 ffffffc0
<0>[  131.183909] I[0:      swapper/0:    0] fb80: 016dfbd0 ffffffc0 008c1b94 ffffffc0 98055000 ffffffc0 0192d000 ffffffc0
<0>[  131.183926] I[0:      swapper/0:    0] fba0: 00000001 00000000 5f5e9c00 ffffffc0 01a46680 ffffffc0 5f5e9c00 ffffffc0
<0>[  131.183945] I[0:      swapper/0:    0] fbc0: 016dfbd0 ffffffc0 008c1b84 ffffffc0 016dfc00 ffffffc0 008302ec ffffffc0
<0>[  131.183962] I[0:      swapper/0:    0] fbe0: 950c8000 ffffffc0 98055000 ffffffc0 00000000 00000000 016d4d28 ffffffc0
<0>[  131.183980] I[0:      swapper/0:    0] fc00: 016dfc20 ffffffc0 0024481c ffffffc0 950cd040 ffffffc0 950cd048 ffffffc0
<0>[  131.183997] I[0:      swapper/0:    0] fc20: 016dfc60 ffffffc0 00245040 ffffffc0 00000006 00000000 00000101 00000000
<0>[  131.184016] I[0:      swapper/0:    0] fc40: 016d4f88 ffffffc0 00000006 00000000 016e2000 ffffffc0 01a46000 ffffffc0
<0>[  131.184034] I[0:      swapper/0:    0] fc60: 016dfcf0 ffffffc0 0024583c ffffffc0 000000c0 00000000 000000ed 00000000
<0>[  131.184051] I[0:      swapper/0:    0] fc80: 00000000 00000000 8a924c38 0000001e 60000045 00000000 00000001 00000000
<0>[  131.184069] I[0:      swapper/0:    0] fca0: 00000001 00000000 40202000 00000000 00205430 ffffffc0 40000000 00000040
<0>[  131.184087] I[0:      swapper/0:    0] fcc0: 016dfcd0 ffffffc0 016f08b0 ffffffc0 ffffbe0d 00000000 00200000 0000000a
<0>[  131.184105] I[0:      swapper/0:    0] fce0: 016d4dd0 ffffffc0 000000ed 00000000 016dfd10 ffffffc0 0020ada4 ffffffc0
<0>[  131.184124] I[0:      swapper/0:    0] fd00: 016d6000 ffffffc0 0020ad80 ffffffc0 016dfd40 ffffffc0 002063e8 ffffffc0
<0>[  131.184142] I[0:      swapper/0:    0] fd20: 0000200c ffffff80 016dfd70 ffffffc0 01cb1c00 ffffffc0 00002010 ffffff80
<0>[  131.184160] I[0:      swapper/0:    0] fd40: 016dfe90 ffffffc0 0020a5e8 ffffffc0 000f4240 00000000 be0bb558 ffffffc0
<0>[  131.184178] I[0:      swapper/0:    0] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000003 00000000 f9003000 ffffff80
<0>[  131.184196] I[0:      swapper/0:    0] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
<0>[  131.184214] I[0:      swapper/0:    0] fda0: b3af3380 0025ca12 ffffffff 00ffffff 3b9aca00 00000000 00209800 ffffffc0
<0>[  131.184232] I[0:      swapper/0:    0] fdc0: 00000000 00000000 00000000 00000000 34c5d83d 00000000 00000000 00000000
<0>[  131.184249] I[0:      swapper/0:    0] fde0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<0>[  131.184268] I[0:      swapper/0:    0] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 0009097a 00000000
<0>[  131.184285] I[0:      swapper/0:    0] fe20: 00000001 00000000 00000001 00000000 00000001 00000000 00000001 00000000
<0>[  131.184302] I[0:      swapper/0:    0] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
<0>[  131.184325] I[0:      swapper/0:    0] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0 00adf490 ffffffc0 60000045 00000000
<0>[  131.184365] I[0:      swapper/0:    0] fe80: 00205430 ffffffc0 40000000 00000040 016dfed0 ffffffc0 00adf5cc ffffffc0
<0>[  131.184399] I[0:      swapper/0:    0] fea0: be0bb558 ffffffc0 00000000 00000000 01a47000 ffffffc0 01fdd000 ffffffc0
<0>[  131.184439] I[0:      swapper/0:    0] fec0: 01953f38 ffffffc0 002a5598 00000001 016dff20 ffffffc0 0020b6ac ffffffc0
<0>[  131.184473] I[0:      swapper/0:    0] fee0: 01c525b8 ffffffc0 01c585d8 ffffffc0 01a47000 ffffffc0 00ec6000 ffffffc0
<0>[  131.184507] I[0:      swapper/0:    0] ff00: 01a463cb ffffffc0 014b9858 ffffffc0 40200000 00000000 00ec6000 ffffffc0
<0>[  131.184541] I[0:      swapper/0:    0] ff20: 016dff30 ffffffc0 002a5618 ffffffc0 016dff80 ffffffc0 00e74184 ffffffc0
<0>[  131.184579] I[0:      swapper/0:    0] ff40: 00000002 00000000 016bee08 ffffffc0 01a4d000 ffffffc0 be1bbac0 ffffffc0
<0>[  131.184608] I[0:      swapper/0:    0] ff60: 016bee08 ffffffc0 40000000 00000000 40200000 00000000 40202000 00000000
<0>[  131.184627] I[0:      swapper/0:    0] ff80: 016dffa0 ffffffc0 01670808 ffffffc0 01c89000 ffffffc0 01670800 ffffffc0
<0>[  131.184644] I[0:      swapper/0:    0] ffa0: 00000000 00000000 40205210 00000000 43e77c88 00000000 00000e11 00000000
<0>[  131.184662] I[0:      swapper/0:    0] ffc0: 4a000000 00000000 410fd032 00000000 416e9dd8 00000000 00000000 00000000
<0>[  131.184679] I[0:      swapper/0:    0] ffe0: 00000000 00000000 016bee08 ffffffc0 00000000 00000000 00000000 00000000
<4>[  131.184692] I[0:      swapper/0:    0] Call trace:
<4>[  131.184709] I[0:      swapper/0:    0] [<ffffffc0008d0fdc>] dhd_prot_txdata_write_flush+0x84/0x1c0
<4>[  131.184732] I[0:      swapper/0:    0] [<ffffffc0008c2568>] dhd_bus_flow_ring_create_response+0x308/0x480
<4>[  131.184752] I[0:      swapper/0:    0] [<ffffffc0008c9030>] dhd_prot_process_flow_ring_create_response+0x40/0xb8
<4>[  131.184768] I[0:      swapper/0:    0] [<ffffffc0008cab04>] dhd_prot_process_msgtype+0x14c/0x5a8
<4>[  131.184784] I[0:      swapper/0:    0] [<ffffffc0008d0018>] dhd_prot_process_msgbuf_txcpl+0x1c8/0x3f0
<4>[  131.184802] I[0:      swapper/0:    0] [<ffffffc0008ba23c>] dhdpcie_bus_process_mailbox_intr+0x1f4/0x518
<4>[  131.184819] I[0:      swapper/0:    0] [<ffffffc0008c1b90>] dhd_bus_dpc+0x160/0x260
<4>[  131.184840] I[0:      swapper/0:    0] [<ffffffc0008302e8>] dhd_dpc+0x28/0x98
<4>[  131.184862] I[0:      swapper/0:    0] [<ffffffc000244818>] tasklet_action+0x90/0x1e0
<4>[  131.184877] I[0:      swapper/0:    0] [<ffffffc00024503c>] __do_softirq+0x144/0x3e0
<4>[  131.184894] I[0:      swapper/0:    0] [<ffffffc000245838>] irq_exit+0x108/0x130
<4>[  131.184913] I[0:      swapper/0:    0] [<ffffffc00020ada0>] handle_IRQ+0x58/0xc8
<4>[  131.184929] I[0:      swapper/0:    0] [<ffffffc0002063e4>] gic_handle_irq+0x3c/0x88
<4>[  131.184944] I[0:      swapper/0:    0] Exception stack(0xffffffc0016dfd50 to 0xffffffc0016dfe70)
<4>[  131.184960] I[0:      swapper/0:    0] fd40:                                     000f4240 00000000 be0bb558 ffffffc0
<4>[  131.184978] I[0:      swapper/0:    0] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000003 00000000 f9003000 ffffff80
<4>[  131.184996] I[0:      swapper/0:    0] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
<4>[  131.185013] I[0:      swapper/0:    0] fda0: b3af3380 0025ca12 ffffffff 00ffffff 3b9aca00 00000000 00209800 ffffffc0
<4>[  131.185029] I[0:      swapper/0:    0] fdc0: 00000000 00000000 00000000 00000000 34c5d83d 00000000 00000000 00000000
<4>[  131.185046] I[0:      swapper/0:    0] fde0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[  131.185064] I[0:      swapper/0:    0] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 0009097a 00000000
<4>[  131.185081] I[0:      swapper/0:    0] fe20: 00000001 00000000 00000001 00000000 00000001 00000000 00000001 00000000
<4>[  131.185099] I[0:      swapper/0:    0] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
<4>[  131.185114] I[0:      swapper/0:    0] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0
<4>[  131.185129] I[0:      swapper/0:    0] [<ffffffc00020a5e4>] el1_irq+0x64/0xd4
<4>[  131.185153] I[0:      swapper/0:    0] [<ffffffc000adf5c8>] cpuidle_idle_call+0xc0/0x278
<4>[  131.185169] I[0:      swapper/0:    0] [<ffffffc00020b6a8>] arch_cpu_idle+0x8/0x20
<4>[  131.185191] I[0:      swapper/0:    0] [<ffffffc0002a5614>] cpu_startup_entry+0xcc/0x280
<4>[  131.185213] I[0:      swapper/0:    0] [<ffffffc000e74180>] rest_init+0x80/0x90
<4>[  131.185236] I[0:      swapper/0:    0] [<ffffffc001670804>] start_kernel+0x314/0x32c
<0>[  131.185253] I[0:      swapper/0:    0] Code: f9573a74 aa0003f7 8b150295 f9402eb4 (79408280)
<4>[  131.185317] I[0:      swapper/0:    0] ---[ end trace 923bb553c964c96d ]---

In-Depth Analysis

Exploiting the access to an uninitialized element of the flow ring array

To exploit this vulnerability, an attacker who has obtained code execution on the WiFi chip can provide the WiFi driver with a flow id pointing to an uninitialized flow ring within the flow ring table. The dereference of the msgbuf_ring_t pointer obtained from the uninitialized flow ring table entry will then cause a null pointer dereference and induce a device reboot.