Disclosure
| Date | Detail |
|---|---|
04/23/2018 |
reported to Samsung |
08/01/2018 |
vulnerabilities confirmed and assigned SVE-2018-11785, rated Low |
08/02/2018 |
assigned CVE-2018-14854, CVE-2018-14855 and CVE-2018-14856 |
12/07/2018 |
CVE descriptions published https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14854, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14855, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14856 |
Affected Product
Samsung Galaxy S6 (SM-G920F), Firmware Version G920FXXU5EQH7
Vulnerabilities
Three potential buffer overflows in
drivers/net/wireless/bcmdhd4358/dhd_pcie.c:5024 (CVE-2018-14856)drivers/net/wireless/bcmdhd4358/dhd_pcie.c:5093 (CVE-2018-14854)drivers/net/wireless/bcmdhd4358/dhd_pcie.c:5154 (CVE-2018-14855)
CVE-2018-14856
5016 void
5017 dhd_bus_flow_ring_create_response(dhd_bus_t *bus, uint16 flowid, int32 status)
5018 {
5019 flow_ring_node_t *flow_ring_node;
5020 unsigned long flags;
5021
5022 DHD_INFO(("%s :Flow Response %d \n", __FUNCTION__, flowid));
5023
5024 flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
5025 ASSERT(flow_ring_node->flowid == flowid);
5026
5027 if (status != BCME_OK) {
5028 DHD_ERROR(("%s Flow create Response failure error status = %d \n",
5029 __FUNCTION__, status));
5030 /* Call Flow clean up */
5031 dhd_bus_clean_flow_ring(bus, flow_ring_node);
5032 return;
5033 }
5034
5035 DHD_FLOWRING_LOCK(flow_ring_node->lock, flags);
5036 flow_ring_node->status = FLOW_RING_STATUS_OPEN;
5037 DHD_FLOWRING_UNLOCK(flow_ring_node->lock, flags);
5038
5039 dhd_bus_schedule_queue(bus, flowid, FALSE);
5040
5041 return;
5042 }
CVE-2018-14854
5086 void
5087 dhd_bus_flow_ring_delete_response(dhd_bus_t *bus, uint16 flowid, uint32 status)
5088 {
5089 flow_ring_node_t *flow_ring_node;
5090
5091 DHD_INFO(("%s :Flow Delete Response %d \n", __FUNCTION__, flowid));
5092
5093 flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
5094 ASSERT(flow_ring_node->flowid == flowid);
5095
5096 if (status != BCME_OK) {
5097 DHD_ERROR(("%s Flow Delete Response failure error status = %d \n",
5098 __FUNCTION__, status));
5099 return;
5100 }
5101 /* Call Flow clean up */
5102 dhd_bus_clean_flow_ring(bus, flow_ring_node);
5103
5104 return;
5105 }
CVE-2018-14855
5143 void
5144 dhd_bus_flow_ring_flush_response(dhd_bus_t *bus, uint16 flowid, uint32 status)
5145 {
5146 flow_ring_node_t *flow_ring_node;
5147
5148 if (status != BCME_OK) {
5149 DHD_ERROR(("%s Flow flush Response failure error status = %d \n",
5150 __FUNCTION__, status));
5151 return;
5152 }
5153
5154 flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
5155 ASSERT(flow_ring_node->flowid == flowid);
5156
5157 flow_ring_node->status = FLOW_RING_STATUS_OPEN;
5158 return;
5159 }
Analysis
We will analyse each of the vulnerabilities seperately.
CVE-2018-14856
In line drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:4580 below the variable flow_create_resp is initialized as a pointer to memory that can be modified by the attacker on WiFi SoC. In line 4585 this memory is passed as the parameter flow_create_resp->cmplt.flow_ring_id to the function dhd_bus_flow_ring_create_response
4577 static void
4578 dhd_prot_process_flow_ring_create_response(dhd_pub_t *dhd, void* buf, uint16 msglen)
4579 {
4580 tx_flowring_create_response_t *flow_create_resp = (tx_flowring_create_response_t *)buf;
4581
4582 DHD_ERROR(("%s Flow create Response status = %d Flow %d\n", __FUNCTION__,
4583 flow_create_resp->cmplt.status, flow_create_resp->cmplt.flow_ring_id));
4584
4585 dhd_bus_flow_ring_create_response(dhd->bus, flow_create_resp->cmplt.flow_ring_id,
4586 flow_create_resp->cmplt.status);
4587 }
CVE-2018-14854
In line drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:4693 below the variable flow_delete_resp is initialized as a pointer to memory that can be modified by the attacker on WiFi SoC. In line 4698 this memory is passed as the parameter low_delete_resp->cmplt.flow_ring_id to the function dhd_bus_flow_ring_delete_response
4690 static void
4691 dhd_prot_process_flow_ring_delete_response(dhd_pub_t *dhd, void* buf, uint16 msglen)
4692 {
4693 tx_flowring_delete_response_t *flow_delete_resp = (tx_flowring_delete_response_t *)buf;
4694
4695 DHD_INFO(("%s Flow Delete Response status = %d \n", __FUNCTION__,
4696 flow_delete_resp->cmplt.status));
4697
4698 dhd_bus_flow_ring_delete_response(dhd->bus, flow_delete_resp->cmplt.flow_ring_id,
4699 flow_delete_resp->cmplt.status);
4700 }
CVE-2018-14855
In line drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:4745 below the variable flow_flush_resp is initialized as a pointer to memory that can be modified by an attacker on the WiFi SoC. In line 4750 this memory is passed as the parameter low_flush_resp->cmplt.flow_ring_id to the function dhd_bus_flow_ring_flush_response
4742 static void
4743 dhd_prot_process_flow_ring_flush_response(dhd_pub_t *dhd, void* buf, uint16 msglen)
4744 {
4745 tx_flowring_flush_response_t *flow_flush_resp = (tx_flowring_flush_response_t *)buf;
4746
4747 DHD_INFO(("%s Flow Flush Response status = %d \n", __FUNCTION__,
4748 flow_flush_resp->cmplt.status));
4749
4750 dhd_bus_flow_ring_flush_response(dhd->bus, flow_flush_resp->cmplt.flow_ring_id,
4751 flow_flush_resp->cmplt.status);
4752 }
Kernel Traces
CVE-2018-14856
[ 200.743070] ------------[ cut here ]------------
[ 200.743091] Kernel BUG at ffffffc000e939dc [verbose debug info unavailable]
[ 200.743114] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
[ 200.743137] Modules linked in:
[ 200.743164] exynos-snapshot: core register saved(CPU:0)
[ 200.743184] CPUMERRSR: 0000000000000000, L2MERRSR: 0000000000000000
[ 200.743204] exynos-snapshot: context saved(CPU:0)
[ 200.743315] exynos-snapshot: item - log_kevents is disabled
[ 200.743391] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.10.61-TeamNexus-gb11c661e30ff #763
[ 200.743420] task: ffffffc0016e8830 ti: ffffffc0016dc000 task.ti: ffffffc0016dc000
[ 200.743461] PC is at _raw_spin_lock_irqsave+0x24/0x58
[ 200.743491] LR is at dhd_os_spin_lock+0x24/0x58
[ 200.743514] pc : [<ffffffc000e939dc>] lr : [<ffffffc000832c14>] pstate: 800000c5
[ 200.743534] sp : ffffffc0016df960
[ 200.743555] x29: ffffffc0016df960 x28: ffffff8000018450
[ 200.743582] x27: 0000000000000010 x26: ffffffc00192d000
[ 200.743603] x25: ffffffc0a0df3c80 x24: 00000000ffffabab
[ 200.743625] x23: ffffffc00192d000 x22: ffffffc09655dd88
[ 200.743646] x21: ffffffc09655dd78 x20: ffffffc0a07cf000
[ 200.743667] x19: 0064656e69666564 x18: 000000000000000a
[ 200.743688] x17: 0000007f9988e3f0 x16: 00000000000029ea
[ 200.743710] x15: 000000000000fff9 x14: 0000000000000002
[ 200.743731] x13: 0000000000005455 x12: 0000000000000005
[ 200.743752] x11: ffffffc0016df980 x10: ffffffc0016df8cf
[ 200.743773] x9 : 7f7f7f7f7f7f7f7f x8 : 206572756c696166
[ 200.743795] x7 : 2065736e6f707365 x6 : ffffffc0016df8d6
[ 200.743816] x5 : 00000000000000cd x4 : 000000000000ffff
[ 200.743838] x3 : ffffffc0016dc000 x2 : 0000000000000040
[ 200.743858] x1 : 0000000000000102 x0 : 0064656e69666564
[ 200.743883]
[ 200.743883] PC: 0xffffffc000e9395c:
[ 200.743914] 395c 35ffffa2 d65f03c0 d503201f d50342df 910003e1 9272c421 aa0103e2 b9405021
[ 200.743956] 397c 11000421 b9005041 f9800011 885ffc01 11404022 88037c02 35ffffa3 4ac14022
[ 200.743994] 399c 340000c2 d50320bf d503205f 485ffc03 4a414062 35ffffa2 d65f03c0 d53b4222
[ 200.744032] 39bc d50342df 910003e1 9272c421 aa0103e3 b9405021 11000421 b9005061 f9800011
[ 200.744069] 39dc 885ffc01 11404023 88047c03 35ffffa4 4ac14023 340000c3 d50320bf d503205f
[ 200.744107] 39fc 485ffc04 4a414083 35ffffa3 aa0203e0 d65f03c0 910003e1 9272c421 aa0103e2
[ 200.744144] 3a1c b9405021 11000421 b9005041 d50320bf d503205f 885ffc01 11000421 37ffffa1
[ 200.744181] 3a3c 88027c01 35ffff82 d65f03c0 910003e1 9272c421 aa0103e2 b9405021 11000421
[ 200.744222]
[ 200.744222] LR: 0xffffffc000832b94:
[ 200.744252] 2b94 b4000060 97ea8e80 b900027f 97ea8e7e aa1303e0 f9400bf3 a8c27bfd d65f03c0
[ 200.744290] 2bb4 d503201f a9be7bfd 910003fd a90153f3 aa0003f3 aa0103f4 97ea8e73 aa1403e1
[ 200.744328] 2bd4 aa1303e0 52800102 94008ff5 a94153f3 a8c27bfd d65f03c0 d503201f a9be7bfd
[ 200.744365] 2bf4 910003fd f9000bf3 aa0003f3 97ea8e66 b4000173 97ea8e64 aa1303e0 9419836a
[ 200.744404] 2c14 aa0003f3 97ea8e60 aa1303e0 f9400bf3 a8c27bfd d65f03c0 d503201f 97ea8e5a
[ 200.744441] 2c34 d2800013 aa1303e0 f9400bf3 a8c27bfd d65f03c0 a9be7bfd 910003fd a90153f3
[ 200.744479] 2c54 aa0003f3 aa0103f4 97ea8e4f b40000b3 97ea8e4d aa1403e1 aa1303e0 94198422
[ 200.744516] 2c74 97ea8e49 a94153f3 a8c27bfd d65f03c0 d503201f a9bb7bfd 910003fd f9000bf3
[ 200.744557]
[ 200.744557] SP: 0xffffffc0016df8e0:
[ 200.744588] f8e0 a07cf000 ffffffc0 9655dd78 ffffffc0 9655dd88 ffffffc0 0192d000 ffffffc0
[ 200.744624] f900 ffffabab 00000000 a0df3c80 ffffffc0 0192d000 ffffffc0 00000010 00000000
[ 200.744661] f920 00018450 ffffff80 016df960 ffffffc0 00832c14 ffffffc0 016df960 ffffffc0
[ 200.744698] f940 00e939dc ffffffc0 800000c5 00000000 016df960 ffffffc0 00832c0c ffffffc0
[ 200.744735] f960 016df980 ffffffc0 008c2124 ffffffc0 9655dd78 ffffffc0 008c2114 ffffffc0
[ 200.744772] f980 016df9c0 ffffffc0 008c22f4 ffffffc0 9655dd78 ffffffc0 00f51298 ffffffc0
[ 200.744810] f9a0 a07cf000 ffffffc0 0155b8d0 ffffffc0 0192d000 ffffffc0 008c22e8 ffffffc0
[ 200.744848] f9c0 016dfa30 ffffffc0 008c9034 ffffffc0 00018450 ffffff80 0000abab 00000000
[ 200.744890]
[ 200.744890] X3: 0xffffffc0016dbf80:
[ 200.744920] bf80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.744956] bfa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.744992] bfc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.745029] bfe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.745064] c000 00000002 00000000 ffffffff ffffffff 016e8830 ffffffc0 016f0520 ffffffc0
[ 200.745101] c020 0025c408 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.745138] c040 00000000 00000000 00000000 00000000 00000104 00000000 00000000 00000000
[ 200.745174] c060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.745214]
[ 200.745214] X6: 0xffffffc0016df856:
[ 200.745244] f854 00000000 016dc000 ffffffc0 0000ffff 00000000 000000cd 00000000 016df8d6
[ 200.745281] f874 ffffffc0 6f707365 2065736e 6c696166 20657275 7f7f7f7f 7f7f7f7f 016df8cf
[ 200.745318] f894 ffffffc0 016df980 ffffffc0 00000005 00000000 00005455 00000000 00000002
[ 200.745355] f8b4 00000000 0000fff9 00000000 000029ea 00000000 9988e3f0 0000007f 0000000a
[ 200.745392] f8d4 00000000 69666564 0064656e a07cf000 ffffffc0 9655dd78 ffffffc0 9655dd88
[ 200.745429] f8f4 ffffffc0 0192d000 ffffffc0 ffffabab 00000000 a0df3c80 ffffffc0 0192d000
[ 200.745466] f914 ffffffc0 00000010 00000000 00018450 ffffff80 016df960 ffffffc0 00832c14
[ 200.745503] f934 ffffffc0 016df960 ffffffc0 00e939dc ffffffc0 800000c5 00000000 016df960
[ 200.745540] f954 ffffffc0 00832c0c ffffffc0 016df980 ffffffc0 008c2124 ffffffc0 9655dd78
[ 200.745582]
[ 200.745582] X10: 0xffffffc0016df84f:
[ 200.745612] f84c 00000000 00000040 00000000 016dc000 ffffffc0 0000ffff 00000000 000000cd
[ 200.745649] f86c 00000000 016df8d6 ffffffc0 6f707365 2065736e 6c696166 20657275 7f7f7f7f
[ 200.745686] f88c 7f7f7f7f 016df8cf ffffffc0 016df980 ffffffc0 00000005 00000000 00005455
[ 200.745723] f8ac 00000000 00000002 00000000 0000fff9 00000000 000029ea 00000000 9988e3f0
[ 200.745760] f8cc 0000007f 0000000a 00000000 69666564 0064656e a07cf000 ffffffc0 9655dd78
[ 200.745796] f8ec ffffffc0 9655dd88 ffffffc0 0192d000 ffffffc0 ffffabab 00000000 a0df3c80
[ 200.745833] f90c ffffffc0 0192d000 ffffffc0 00000010 00000000 00018450 ffffff80 016df960
[ 200.745870] f92c ffffffc0 00832c14 ffffffc0 016df960 ffffffc0 00e939dc ffffffc0 800000c5
[ 200.745908] f94c 00000000 016df960 ffffffc0 00832c0c ffffffc0 016df980 ffffffc0 008c2124
[ 200.745948]
[ 200.745948] X11: 0xffffffc0016df900:
[ 200.745977] f900 ffffabab 00000000 a0df3c80 ffffffc0 0192d000 ffffffc0 00000010 00000000
[ 200.746014] f920 00018450 ffffff80 016df960 ffffffc0 00832c14 ffffffc0 016df960 ffffffc0
[ 200.746051] f940 00e939dc ffffffc0 800000c5 00000000 016df960 ffffffc0 00832c0c ffffffc0
[ 200.746088] f960 016df980 ffffffc0 008c2124 ffffffc0 9655dd78 ffffffc0 008c2114 ffffffc0
[ 200.746125] f980 016df9c0 ffffffc0 008c22f4 ffffffc0 9655dd78 ffffffc0 00f51298 ffffffc0
[ 200.746162] f9a0 a07cf000 ffffffc0 0155b8d0 ffffffc0 0192d000 ffffffc0 008c22e8 ffffffc0
[ 200.746199] f9c0 016dfa30 ffffffc0 008c9034 ffffffc0 00018450 ffffff80 0000abab 00000000
[ 200.746236] f9e0 ffffabab ffffffff 960d8000 ffffffc0 008c8ff0 ffffffc0 00000010 00000000
[ 200.746282]
[ 200.746282] X20: 0xffffffc0a07cef80:
[ 200.746312] ef80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.746348] efa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.746384] efc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.746420] efe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.746456] f000 960d8000 ffffffc0 9856b000 ffffffc0 96103040 ffffffc0 961030a8 ffffffc0
[ 200.746495] f020 5faab100 ffffffc0 8c4b4000 ffffffc0 00000d7d 00000000 0cf70000 ffffff80
[ 200.746532] f040 00000006 00000000 000c0000 000c0000 00000000 00000000 00000000 00000001
[ 200.746569] f060 960dafb0 ffffffc0 960dbfb0 ffffffc0 00000000 00000000 00000000 00000000
[ 200.746608]
[ 200.746608] X21: 0xffffffc09655dcf8:
[ 200.746638] dcf8 62206465 6f6d2079 206c6564 756f7267 54007370 6b206568 65727965 65722066
[ 200.746678] dd18 65726566 7365636e 6b206120 65727965 68540066 61632065 6e696472 74696c61
[ 200.746715] dd38 666f2079 65687420 79656b20 20666572 66666964 20737265 6d6f7266 65687420
[ 200.746752] dd58 72616320 616e6964 7974696c 20666f20 20656874 65666572 636e6572 6b206465
[ 200.746789] dd78 752f7965 7571696e 25272065 54002773 64206568 6e696665 6f697469 7369206e
[ 200.746826] dd98 72696320 616c7563 69430072 6c756372 72207261 72656665 65636e65 206f7420
[ 200.746864] ddb8 20656874 65646f6d 7267206c 2070756f 69666564 6974696e 27206e6f 20277325
[ 200.747170] ddd8 69666564 0064656e 63726943 72616c75 66657220 6e657265 74206563 6874206f
[ 200.747258]
[ 200.747258] X22: 0xffffffc09655dd08:
[ 200.747288] dd08 54007370 6b206568 65727965 65722066 65726566 7365636e 6b206120 65727965
[ 200.747326] dd28 68540066 61632065 6e696472 74696c61 666f2079 65687420 79656b20 20666572
[ 200.747363] dd48 66666964 20737265 6d6f7266 65687420 72616320 616e6964 7974696c 20666f20
[ 200.747399] dd68 20656874 65666572 636e6572 6b206465 752f7965 7571696e 25272065 54002773
[ 200.747436] dd88 64206568 6e696665 6f697469 7369206e 72696320 616c7563 69430072 6c756372
[ 200.747473] dda8 72207261 72656665 65636e65 206f7420 20656874 65646f6d 7267206c 2070756f
[ 200.747510] ddc8 69666564 6974696e 27206e6f 20277325 69666564 0064656e 63726943 72616c75
[ 200.747547] dde8 66657220 6e657265 74206563 6874206f 74612065 62697274 20657475 756f7267
[ 200.747588]
[ 200.747588] X23: 0xffffffc00192cf80:
[ 200.747617] cf80 00000000 00000000 00808310 ffffffc0 00000000 00000000 00000000 00000000
[ 200.747655] cfa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747691] cfc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747727] cfe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747763] d000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747800] d020 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747835] d040 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747873] d060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.747913]
[ 200.747913] X25: 0xffffffc0a0df3c00:
[ 200.747943] 3c00 9f334748 ffffffc0 9f334748 ffffffc0 a0df3d10 ffffffc0 a0df3b10 ffffffc0
[ 200.747981] 3c20 00004000 00000000 00018000 ffffff80 00000001 00000000 9f334400 ffffffc0
[ 200.748018] 3c40 00000001 00000000 00000200 dead0000 00000000 00000000 b7f6f058 ffffffc0
[ 200.748056] 3c60 b9f02600 ffffffc0 ffffffff 00000002 00040004 00000000 00000000 00000000
[ 200.748093] 3c80 00030001 74683264 6c706378 00000000 00000000 00000000 00000000 00000000
[ 200.748130] 3ca0 00018000 ffffff80 f9a0c000 00000000 00000000 00000000 00000000 00000000
[ 200.748166] 3cc0 00000000 00000000 9ce25ec0 ffffffc0 9ce25100 ffffffc0 00000544 00000000
[ 200.748204] 3ce0 00000000 00000000 00000000 00000000 00000100 00000000 00000000 00000000
[ 200.748243]
[ 200.748243] X26: 0xffffffc00192cf80:
[ 200.748274] cf80 00000000 00000000 00808310 ffffffc0 00000000 00000000 00000000 00000000
[ 200.748310] cfa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748346] cfc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748382] cfe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748419] d000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748455] d020 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748491] d040 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748527] d060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.748568]
[ 200.748568] X29: 0xffffffc0016df8e0:
[ 200.748598] f8e0 a07cf000 ffffffc0 9655dd78 ffffffc0 9655dd88 ffffffc0 0192d000 ffffffc0
[ 200.748635] f900 ffffabab 00000000 a0df3c80 ffffffc0 0192d000 ffffffc0 00000010 00000000
[ 200.748672] f920 00018450 ffffff80 016df960 ffffffc0 00832c14 ffffffc0 016df960 ffffffc0
[ 200.748711] f940 00e939dc ffffffc0 800000c5 00000000 016df960 ffffffc0 00832c0c ffffffc0
[ 200.748748] f960 016df980 ffffffc0 008c2124 ffffffc0 9655dd78 ffffffc0 008c2114 ffffffc0
[ 200.748785] f980 016df9c0 ffffffc0 008c22f4 ffffffc0 9655dd78 ffffffc0 00f51298 ffffffc0
[ 200.748822] f9a0 a07cf000 ffffffc0 0155b8d0 ffffffc0 0192d000 ffffffc0 008c22e8 ffffffc0
[ 200.748859] f9c0 016dfa30 ffffffc0 008c9034 ffffffc0 00018450 ffffff80 0000abab 00000000
[ 200.748896]
[ 200.748918] Process swapper/0 (pid: 0, stack limit = 0xffffffc0016dc058)
[ 200.748943] Stack: (0xffffffc0016df960 to 0xffffffc0016e0000)
[ 200.748973] f960: 016df980 ffffffc0 008c2124 ffffffc0 9655dd78 ffffffc0 008c2114 ffffffc0
[ 200.749002] f980: 016df9c0 ffffffc0 008c22f4 ffffffc0 9655dd78 ffffffc0 00f51298 ffffffc0
[ 200.749031] f9a0: a07cf000 ffffffc0 0155b8d0 ffffffc0 0192d000 ffffffc0 008c22e8 ffffffc0
[ 200.749059] f9c0: 016dfa30 ffffffc0 008c9034 ffffffc0 00018450 ffffff80 0000abab 00000000
[ 200.749087] f9e0: ffffabab ffffffff 960d8000 ffffffc0 008c8ff0 ffffffc0 00000010 00000000
[ 200.749117] fa00: 008c909c ffffffc0 016dfa30 ffffffc0 008c90a4 ffffffc0 80000045 00000000
[ 200.749147] fa20: 016dfa30 ffffffc0 008c9024 ffffffc0 016dfa60 ffffffc0 008cab08 ffffffc0
[ 200.749175] fa40: 00000010 00000000 960d8000 ffffffc0 00000010 00000000 00018450 ffffff80
[ 200.749203] fa60: 016dfb00 ffffffc0 008d001c ffffffc0 00000010 00000000 a0df3c80 ffffffc0
[ 200.749231] fa80: 960d8000 ffffffc0 960d0000 ffffffc0 00018450 ffffff80 9ce25ec0 ffffffc0
[ 200.749259] faa0: 00000000 00000000 960da000 ffffffc0 00000400 00000000 00000046 00000000
[ 200.749288] fac0: 00000003 00000000 00f516f8 ffffffc0 960d8000 ffffffc0 0155d190 ffffffc0
[ 200.749317] fae0: 00000000 ffffffc0 00000029 00000010 960d0000 ffffffc0 00f51928 ffffffc0
[ 200.749346] fb00: 016dfb80 ffffffc0 008ba240 ffffffc0 a07cf010 ffffffc0 a07cf000 ffffffc0
[ 200.749374] fb20: 019367d0 ffffffc0 960d8000 ffffffc0 a07cf010 ffffffc0 00000000 00000000
[ 200.749403] fb40: 016e20b0 ffffffc0 01a46000 ffffffc0 01c52000 ffffffc0 00000001 00000000
[ 200.749432] fb60: 00f51b90 ffffffc0 00f516f8 ffffffc0 016dfb80 00000040 0192de00 ffffffc0
[ 200.749462] fb80: 016dfbd0 ffffffc0 008c1b94 ffffffc0 a07cf000 ffffffc0 0192d000 ffffffc0
[ 200.749490] fba0: 00000001 00000000 5faab100 ffffffc0 01a46680 ffffffc0 5faab100 ffffffc0
[ 200.749519] fbc0: 016dfbd0 ffffffc0 008c1b84 ffffffc0 016dfc00 ffffffc0 008302ec ffffffc0
[ 200.749548] fbe0: 960d8000 ffffffc0 a07cf000 ffffffc0 00000000 00000000 016d4d28 ffffffc0
[ 200.749577] fc00: 016dfc20 ffffffc0 0024481c ffffffc0 960dd040 ffffffc0 960dd048 ffffffc0
[ 200.749605] fc20: 016dfc60 ffffffc0 00245040 ffffffc0 00000006 00000000 00000101 00000000
[ 200.749633] fc40: 016d4f88 ffffffc0 00000006 00000000 016e2000 ffffffc0 01a46000 ffffffc0
[ 200.749661] fc60: 016dfcf0 ffffffc0 0024583c ffffffc0 000000c0 00000000 000000ed 00000000
[ 200.749689] fc80: 00000000 00000000 bca74b82 0000002e 60000045 00000000 00000000 00000000
[ 200.749717] fca0: 00000000 00000000 40202000 00000000 00205430 ffffffc0 40000000 00000040
[ 200.749746] fcc0: 016dfcd0 ffffffc0 016f08b0 ffffffc0 ffffd939 00000000 00200000 0000000a
[ 200.749774] fce0: 016d4dd0 ffffffc0 000000ed 00000000 016dfd10 ffffffc0 0020ada4 ffffffc0
[ 200.749802] fd00: 016d6000 ffffffc0 0020ad80 ffffffc0 016dfd40 ffffffc0 002063e8 ffffffc0
[ 200.749831] fd20: 0000200c ffffff80 016dfd70 ffffffc0 01cb1c00 ffffffc0 00002010 ffffff80
[ 200.749860] fd40: 016dfe90 ffffffc0 0020a5e8 ffffffc0 000f4240 00000000 be0bb558 ffffffc0
[ 200.749889] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000008 00000000 f9003000 ffffff80
[ 200.749918] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
[ 200.749946] fda0: d4f06280 0030479e ffffffff 00ffffff 3b9aca00 00000000 00000033 00000000
[ 200.749974] fdc0: 00000006 00000000 0225a2cf 00000000 00000024 00000000 000051cf 00000000
[ 200.750003] fde0: 0000338b 00000000 0000328b 00000000 000029ea 00000000 9988e3f0 0000007f
[ 200.750032] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 000371ff 00000000
[ 200.750059] fe20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.750088] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
[ 200.750116] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0 00adf490 ffffffc0 60000045 00000000
[ 200.750145] fe80: 00205430 ffffffc0 40000000 00000040 016dfed0 ffffffc0 00adf5cc ffffffc0
[ 200.750173] fea0: be0bb558 ffffffc0 00000000 00000000 01a47000 ffffffc0 01fdd000 ffffffc0
[ 200.750203] fec0: 01953f38 ffffffc0 002a5598 00000001 016dff20 ffffffc0 0020b6ac ffffffc0
[ 200.750231] fee0: 01c525b8 ffffffc0 01c585d8 ffffffc0 01a47000 ffffffc0 00ec6000 ffffffc0
[ 200.750260] ff00: 01a463cb ffffffc0 014b9858 ffffffc0 40200000 00000000 00ec6000 ffffffc0
[ 200.750288] ff20: 016dff30 ffffffc0 002a5618 ffffffc0 016dff80 ffffffc0 00e74184 ffffffc0
[ 200.750317] ff40: 00000002 00000000 016bee08 ffffffc0 01a4d000 ffffffc0 be1bbac0 ffffffc0
[ 200.750345] ff60: 016bee08 ffffffc0 40000000 00000000 40200000 00000000 40202000 00000000
[ 200.750374] ff80: 016dffa0 ffffffc0 01670808 ffffffc0 01c89000 ffffffc0 01670800 ffffffc0
[ 200.750401] ffa0: 00000000 00000000 40205210 00000000 43e77c88 00000000 00000e11 00000000
[ 200.750429] ffc0: 4a000000 00000000 410fd032 00000000 416e9dd8 00000000 00000000 00000000
[ 200.750456] ffe0: 00000000 00000000 016bee08 ffffffc0 00000000 00000000 00000000 00000000
[ 200.750475] Call trace:
[ 200.750502] [<ffffffc000e939dc>] _raw_spin_lock_irqsave+0x24/0x58
[ 200.750533] [<ffffffc0008c2120>] dhd_bus_clean_flow_ring+0x30/0xf8
[ 200.750560] [<ffffffc0008c22f0>] dhd_bus_flow_ring_create_response+0x90/0x480
[ 200.750592] [<ffffffc0008c9030>] dhd_prot_process_flow_ring_create_response+0x40/0xb8
[ 200.750617] [<ffffffc0008cab04>] dhd_prot_process_msgtype+0x14c/0x5a8
[ 200.750641] [<ffffffc0008d0018>] dhd_prot_process_msgbuf_txcpl+0x1c8/0x3f0
[ 200.750669] [<ffffffc0008ba23c>] dhdpcie_bus_process_mailbox_intr+0x1f4/0x518
[ 200.750694] [<ffffffc0008c1b90>] dhd_bus_dpc+0x160/0x260
[ 200.750726] [<ffffffc0008302e8>] dhd_dpc+0x28/0x98
[ 200.750758] [<ffffffc000244818>] tasklet_action+0x90/0x1e0
[ 200.750783] [<ffffffc00024503c>] __do_softirq+0x144/0x3e0
[ 200.750809] [<ffffffc000245838>] irq_exit+0x108/0x130
[ 200.750839] [<ffffffc00020ada0>] handle_IRQ+0x58/0xc8
[ 200.750864] [<ffffffc0002063e4>] gic_handle_irq+0x3c/0x88
[ 200.750886] Exception stack(0xffffffc0016dfd50 to 0xffffffc0016dfe70)
[ 200.750910] fd40: 000f4240 00000000 be0bb558 ffffffc0
[ 200.750939] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000008 00000000 f9003000 ffffff80
[ 200.750966] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
[ 200.750995] fda0: d4f06280 0030479e ffffffff 00ffffff 3b9aca00 00000000 00000033 00000000
[ 200.751022] fdc0: 00000006 00000000 0225a2cf 00000000 00000024 00000000 000051cf 00000000
[ 200.751050] fde0: 0000338b 00000000 0000328b 00000000 000029ea 00000000 9988e3f0 0000007f
[ 200.751077] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 000371ff 00000000
[ 200.751104] fe20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 200.751133] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
[ 200.751158] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0
[ 200.751183] [<ffffffc00020a5e4>] el1_irq+0x64/0xd4
[ 200.751217] [<ffffffc000adf5c8>] cpuidle_idle_call+0xc0/0x278
[ 200.751242] [<ffffffc00020b6a8>] arch_cpu_idle+0x8/0x20
[ 200.751275] [<ffffffc0002a5614>] cpu_startup_entry+0xcc/0x280
[ 200.751305] [<ffffffc000e74180>] rest_init+0x80/0x90
[ 200.751337] [<ffffffc001670804>] start_kernel+0x314/0x32c
[ 200.751363] Code: b9405021 11000421 b9005061 f9800011 (885ffc01)
[ 200.751470] ---[ end trace e1070556e6f65c99 ]---CVE-2018-14854
[ 385.605978] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 385.606001] pgd = ffffffc000202000
[ 385.606026] [00000000] *pgd=00000000fa409003, *pmd=00000000fa40c003, *pte=0060000011001707
[ 385.606257] Kernel BUG at ffffffc0008c21a0 [verbose debug info unavailable]
[ 385.606279] Internal error: Oops - BUG: 96000045 [#1] PREEMPT SMP
[ 385.606329] Modules linked in:
[ 385.606405] exynos-snapshot: core register saved(CPU:0)
[ 385.606450] CPUMERRSR: 0000000000000000, L2MERRSR: 0000000000000000
[ 385.606513] exynos-snapshot: context saved(CPU:0)
[ 385.606665] exynos-snapshot: item - log_kevents is disabled
[ 385.606748] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.10.61-TeamNexus-gb11c661e30ff #763
[ 385.606799] task: ffffffc0016e8830 ti: ffffffc0016dc000 task.ti: ffffffc0016dc000
[ 385.606866] PC is at dhd_bus_clean_flow_ring+0xb0/0xf8
[ 385.606890] LR is at dhd_bus_clean_flow_ring+0x9c/0xf8
[ 385.606919] pc : [<ffffffc0008c21a0>] lr : [<ffffffc0008c218c>] pstate: 60000045
[ 385.606938] sp : ffffffc0016df9b0
[ 385.606958] x29: ffffffc0016df9b0 x28: ffffff8000018450
[ 385.606985] x27: 0000000000000010 x26: ffffffc00192d000
[ 385.607013] x25: ffffffc0a000da80 x24: 0000000000000010
[ 385.607035] x23: 0000000000000000 x22: ffffffc095efb7a8
[ 385.607057] x21: ffffffc095efb798 x20: ffffffc0b891c000
[ 385.607077] x19: 0000000000000000 x18: 000000000000000a
[ 385.607105] x17: 0000000000000000 x16: 0000000000000000
[ 385.607126] x15: 0000000000000000 x14: 0000000000000001
[ 385.607148] x13: 0000000000093eab x12: 0000000000000006
[ 385.607169] x11: ffffffc081a514df x10: ffffffc001a514e7
[ 385.607198] x9 : ffffffc001a52138 x8 : 63705f6468642220
[ 385.607219] x7 : 656c6966203a2264 x6 : ffffffc001a51548
[ 385.607239] x5 : 0000000000105578 x4 : 000000000000ffff
[ 385.607260] x3 : 00fffd8f7a5c218c x2 : 0000000000000000
[ 385.607281] x1 : 0000000000000000 x0 : 0000000000000000
[ 385.607310]
[ 385.607310] PC: 0xffffffc0008c2120:
[ 385.607341] 2120 97fdc2b4 aa0003f7 14000008 d503201f 97e8511a f9400280 52800022 aa1303e1
[ 385.607388] 2140 f9400000 97fe4e8f 97e85114 f9400280 aa1603e1 940011ed aa0003f3 b5fffea0
[ 385.607426] 2160 97e8510e 794042c0 34000100 97e8510b 900064c1 b00064c0 52826ee2 911fc021
[ 385.607464] 2180 91218000 97fe5495 97e85104 390102bf a94002a2 52800041 390106a1 aa1703e1
[ 385.607501] 21a0 f9000002 a9400aa0 f9000402 f94032a0 97fdc2a6 f9400280 f9402ea1 940043d1
[ 385.607538] 21c0 794086a2 394116a1 f9400280 940016b7 f9401bf7 a94153f3 a9425bf5 a8c47bfd
[ 385.607576] 21e0 d65f03c0 d503201f a9be7bfd 910003fd a90153f3 aa0003f3 aa0103f4 97e850e7
[ 385.607613] 2200 f0008340 b94e0000 371001c0 97e850e3 f9400260 aa1403e1 9400425a 7100001f
[ 385.607654]
[ 385.607654] LR: 0xffffffc0008c210c:
[ 385.607683] 210c f9001bf7 97e85122 f9400280 97fda546 f94032a0 97fdc2b4 aa0003f7 14000008
[ 385.607721] 212c d503201f 97e8511a f9400280 52800022 aa1303e1 f9400000 97fe4e8f 97e85114
[ 385.607758] 214c f9400280 aa1603e1 940011ed aa0003f3 b5fffea0 97e8510e 794042c0 34000100
[ 385.607795] 216c 97e8510b 900064c1 b00064c0 52826ee2 911fc021 91218000 97fe5495 97e85104
[ 385.607832] 218c 390102bf a94002a2 52800041 390106a1 aa1703e1 f9000002 a9400aa0 f9000402
[ 385.607869] 21ac f94032a0 97fdc2a6 f9400280 f9402ea1 940043d1 794086a2 394116a1 f9400280
[ 385.607906] 21cc 940016b7 f9401bf7 a94153f3 a9425bf5 a8c47bfd d65f03c0 d503201f a9be7bfd
[ 385.607943] 21ec 910003fd a90153f3 aa0003f3 aa0103f4 97e850e7 f0008340 b94e0000 371001c0
[ 385.607983]
[ 385.607983] SP: 0xffffffc0016df930:
[ 385.608014] f930 b891c000 ffffffc0 95efb798 ffffffc0 95efb7a8 ffffffc0 00000000 00000000
[ 385.608050] f950 00000010 00000000 a000da80 ffffffc0 0192d000 ffffffc0 00000010 00000000
[ 385.608093] f970 00018450 ffffff80 016df9b0 ffffffc0 008c218c ffffffc0 016df9b0 ffffffc0
[ 385.608131] f990 008c21a0 ffffffc0 60000045 00000000 016df9b0 ffffffc0 008c218c ffffffc0
[ 385.608174] f9b0 016df9f0 ffffffc0 008c2950 ffffffc0 95efb798 ffffffc0 0000feff 00000000
[ 385.608212] f9d0 0192d000 ffffffc0 b891c000 ffffffc0 00000000 00000000 008c2944 ffffffc0
[ 385.608255] f9f0 016dfa30 ffffffc0 008c8fb8 ffffffc0 00018450 ffffff80 00000000 00000000
[ 385.608298] fa10 95848000 ffffffc0 00018450 ffffff80 008c8f78 ffffffc0 008c8fa8 ffffffc0
[ 385.608342]
[ 385.608342] X6: 0xffffffc001a514c8:
[ 385.608377] 14c8 00000000 00000000 00000000 00000000 00000001 00000000 30303020 32303330
[ 385.608414] 14e8 31343830 20205d34 203a305b 20202020 61777320 72657070 203a302f 30202020
[ 385.608459] 1508 3531205d 38203830 30362e35 32343338 5b49205d 20203a30 20202020 70617773
[ 385.608497] 1528 2f726570 20203a30 5d302020 3a365820 66783020 66666666 30306366 31356131
[ 385.608534] 1548 3a386334 0a0a350a 3162672d 36366331 30336531 23206666 0a333637 6f707365
[ 385.608571] 1568 2b65736e 30337830 3778302f 64612038 303d7264 66666678 38666666 30303030
[ 385.608614] 1588 35343831 63202c61 303d7874 63313578 540a3839 2c30203a 73617020 5f646573
[ 385.608651] 15a8 33203a54 66202c30 5f6c6c75 33203a54 63202c30 655f6768 545f646e 2c30203a
[ 385.608699]
[ 385.608699] X9: 0xffffffc001a520b8:
[ 385.608734] 20b8 2c686565 33376435 610a2c68 3d6f6e6c 35313330 33666437 39663466 63306461
[ 385.608772] 20d8 646e7320 636f735f 726f635f 6d702e65 6e776f64 6d69745f 30313d65 7a203030
[ 385.608816] 20f8 5f6f7265 68636473 63695f67 6120313d 6f72646e 6f626469 662e746f 635f706d
[ 385.608853] 2118 69666e6f 0a303d67 00000000 00000000 00000000 00000000 006c6148 ffffffc0
[ 385.608896] 2138 38333132 33313333 66660033 30306366 32356131 3a386230 726c000a 5b203a20
[ 385.608933] 2158 6666663c 63666666 38303030 38313263 205d3e63 61747370 203a6574 30303036
[ 385.608976] 2178 35343030 0a30000a 31626700 36366331 30336531 23206666 0a333637 6f707300
[ 385.609013] 2198 2b65736e 30337830 3778302f 64612038 303d7264 66666678 38666666 30303030
[ 385.609059]
[ 385.609059] X10: 0xffffffc001a51467:
[ 385.609089] 1464 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.609133] 1484 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.609169] 14a4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.609210] 14c4 00000000 00000000 00000000 00000000 00000000 00000001 00000000 30303020
[ 385.609255] 14e4 362e3538 35323938 20205d35 203a305b 20202020 61777320 72657070 203a302f
[ 385.609292] 1504 30202020 3531205d 38203430 30362e35 39353039 5b49205d 20203a30 20202020
[ 385.609329] 1524 70617773 2f726570 20203a30 5d302020 30315820 7830203a 66666666 30636666
[ 385.609366] 1544 35613130 37363431 0a0a0a3a 3162672d 36366331 30336531 23206666 0a333637
[ 385.609408] 1564 6f707365 2b65736e 30337830 3778302f 64612038 303d7264 66666678 38666666
[ 385.609449]
[ 385.609449] X11: 0xffffffc081a5145f:
[ 385.609479] 145c aa0203fc 58002d1e 58002d20 d63f03c0 39472aa0 35002020 b94196bb 6b1b031f
[ 385.609522] 147c 54001fc1 71000b1f 54001861 34000f7a aa1503e1 90001240 f9457800 f940181e
[ 385.609565] 149c d63f03c0 34000ea0 b94132bb 37f80d1b b9410aa0 b9410ea1 4b1b003c 6b1c001f
[ 385.609603] 14bc 54000c6a 394732a0 35000160 394712a0 35000120 b9418ea0 121b0000 350000c0
[ 385.609647] 14dc b9418aa0 12000400 35000060 39472ea0 14000002 52800020 35000aa0 9000135d
[ 385.609685] 14fc b94dfbbd 3400213d aa1403e1 52822460 f940de7e d63f03c0 aa0003e1 aa0103f4
[ 385.609729] 151c 580027be 580027c0 d63f03c0 d0001342 b94c4442 34002082 aa1403e1 aa0203fb
[ 385.609766] 153c b9400020 f9418000 f940181e d63f03c0 b9410ea2 34002020 aa0003e1 aa0103f4
[ 385.609811] 155c aa0203fb b9400020 f9416c00 f940181e d63f03c0 900012c2 b949d442 34001f42
[ 385.609858]
[ 385.609858] X20: 0xffffffc0b891bf80:
[ 385.609893] bf80 01d09698 ffffffbc 00000000 00001000 84bd5000 00000000 00001000 00000000
[ 385.609932] bfa0 01b966d0 ffffffbc 00000000 00001000 7e1d6000 00000000 00001000 00000000
[ 385.609975] bfc0 01b968c8 ffffffbc 00000000 00001000 7e1df000 00000000 00001000 00000000
[ 385.610013] bfe0 01c6107a ffffffbc 00000000 00001000 81bb9000 00000000 00001000 00000000
[ 385.610055] c000 95848000 ffffffc0 9740c800 ffffffc0 95883040 ffffffc0 958830a8 ffffffc0
[ 385.610101] c020 974ae100 ffffffc0 885c2000 ffffffc0 00000d7d 00000000 0cf70000 ffffff80
[ 385.610137] c040 00000006 00000000 000c0000 000c0000 00000000 00000000 00000000 00000001
[ 385.610175] c060 9584afb0 ffffffc0 9584bfb0 ffffffc0 00000000 00000000 00000000 00000000
[ 385.610215]
[ 385.610215] X21: 0xffffffc095efb718:
[ 385.610251] b718 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610287] b738 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610328] b758 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610364] b778 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610406] b798 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610442] b7b8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610483] b7d8 00000200 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610520] b7f8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610564]
[ 385.610564] X22: 0xffffffc095efb728:
[ 385.610594] b728 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610636] b748 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610673] b768 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610715] b788 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610757] b7a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610793] b7c8 00000000 00000000 00000000 00000000 00000200 00000000 00000000 00000000
[ 385.610830] b7e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610871] b808 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.610920]
[ 385.610920] X25: 0xffffffc0a000da00:
[ 385.610950] da00 9cf6e9c0 ffffffc0 a000d788 ffffffc0 b9ef1330 ffffffc0 9f1a6810 ffffffc0
[ 385.610988] da20 b9ef1330 ffffffc0 019240f8 ffffffc0 a03b9000 ffffffc0 00000002 00000003
[ 385.611026] da40 01744378 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611068] da60 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611104] da80 00030001 74683264 6c706378 00000000 00000000 00000000 00000000 00000000
[ 385.611480] daa0 00018000 ffffff80 f9a0c000 00000000 00000000 00000000 00000000 00000000
[ 385.611537] dac0 00000000 00000000 9cf63700 ffffffc0 9cf63800 ffffffc0 00000d44 00000000
[ 385.611574] dae0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611619]
[ 385.611619] X26: 0xffffffc00192cf80:
[ 385.611649] cf80 00000000 00000000 00808310 ffffffc0 00000000 00000000 00000000 00000000
[ 385.611692] cfa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611736] cfc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611773] cfe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611810] d000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611846] d020 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611887] d040 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611924] d060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.611969]
[ 385.611969] X29: 0xffffffc0016df930:
[ 385.611999] f930 b891c000 ffffffc0 95efb798 ffffffc0 95efb7a8 ffffffc0 00000000 00000000
[ 385.612041] f950 00000010 00000000 a000da80 ffffffc0 0192d000 ffffffc0 00000010 00000000
[ 385.612078] f970 00018450 ffffff80 016df9b0 ffffffc0 008c218c ffffffc0 016df9b0 ffffffc0
[ 385.612121] f990 008c21a0 ffffffc0 60000045 00000000 016df9b0 ffffffc0 008c218c ffffffc0
[ 385.612158] f9b0 016df9f0 ffffffc0 008c2950 ffffffc0 95efb798 ffffffc0 0000feff 00000000
[ 385.612199] f9d0 0192d000 ffffffc0 b891c000 ffffffc0 00000000 00000000 008c2944 ffffffc0
[ 385.612236] f9f0 016dfa30 ffffffc0 008c8fb8 ffffffc0 00018450 ffffff80 00000000 00000000
[ 385.612279] fa10 95848000 ffffffc0 00018450 ffffff80 008c8f78 ffffffc0 008c8fa8 ffffffc0
[ 385.612316]
[ 385.612340] Process swapper/0 (pid: 0, stack limit = 0xffffffc0016dc058)
[ 385.612370] Stack: (0xffffffc0016df9b0 to 0xffffffc0016e0000)
[ 385.612395] f9a0: 016df9f0 ffffffc0 008c2950 ffffffc0
[ 385.612430] f9c0: 95efb798 ffffffc0 0000feff 00000000 0192d000 ffffffc0 b891c000 ffffffc0
[ 385.612460] f9e0: 00000000 00000000 008c2944 ffffffc0 016dfa30 ffffffc0 008c8fb8 ffffffc0
[ 385.612488] fa00: 00018450 ffffff80 00000000 00000000 95848000 ffffffc0 00018450 ffffff80
[ 385.612522] fa20: 008c8f78 ffffffc0 008c8fa8 ffffffc0 016dfa60 ffffffc0 008cab08 ffffffc0
[ 385.612551] fa40: 00000010 00000000 95848000 ffffffc0 00000010 00000000 008caaf8 ffffffc0
[ 385.612579] fa60: 016dfb00 ffffffc0 008d001c ffffffc0 00000010 00000000 a000da80 ffffffc0
[ 385.612607] fa80: 95848000 ffffffc0 95840000 ffffffc0 00018450 ffffff80 9cf63700 ffffffc0
[ 385.612635] faa0: 00000000 00000000 9584a000 ffffffc0 00000400 00000000 00000046 00000000
[ 385.612664] fac0: 00000003 00000000 00f516f8 ffffffc0 95848000 ffffffc0 0155d190 ffffffc0
[ 385.612693] fae0: 00000000 ffffffc0 00000029 00000010 95840000 ffffffc0 00f51928 ffffffc0
[ 385.612722] fb00: 016dfb80 ffffffc0 008ba240 ffffffc0 b891c010 ffffffc0 b891c000 ffffffc0
[ 385.612750] fb20: 019367d0 ffffffc0 95848000 ffffffc0 b891c010 ffffffc0 00000000 00000000
[ 385.612779] fb40: 016e20b0 ffffffc0 01a46000 ffffffc0 01c52000 ffffffc0 00000001 00000000
[ 385.612807] fb60: 00f51b90 ffffffc0 00f516f8 ffffffc0 016dfb80 00000040 0192de00 ffffffc0
[ 385.612835] fb80: 016dfbd0 ffffffc0 008c1b94 ffffffc0 b891c000 ffffffc0 0192d000 ffffffc0
[ 385.612863] fba0: 00000001 00000000 974ae100 ffffffc0 01a46680 ffffffc0 974ae100 ffffffc0
[ 385.612891] fbc0: 016dfbd0 ffffffc0 008c1b84 ffffffc0 016dfc00 ffffffc0 008302ec ffffffc0
[ 385.612919] fbe0: 95848000 ffffffc0 b891c000 ffffffc0 00000000 00000000 016d4d28 ffffffc0
[ 385.612959] fc00: 016dfc20 ffffffc0 0024481c ffffffc0 9584d040 ffffffc0 9584d048 ffffffc0
[ 385.612987] fc20: 016dfc60 ffffffc0 00245040 ffffffc0 00000006 00000000 00000101 00000000
[ 385.613016] fc40: 016d4f88 ffffffc0 00000006 00000000 016e2000 ffffffc0 01a46000 ffffffc0
[ 385.613043] fc60: 016dfcf0 ffffffc0 0024583c ffffffc0 000000c0 00000000 000000ed 00000000
[ 385.613072] fc80: 00000000 00000000 c7841cef 00000059 60000045 00000000 00000001 00000000
[ 385.613099] fca0: 00000001 00000000 40202000 00000000 00205430 ffffffc0 40000000 00000040
[ 385.613134] fcc0: 016dfcd0 ffffffc0 016f08b0 ffffffc0 00002170 00000001 00200000 0000000a
[ 385.613163] fce0: 016d4dd0 ffffffc0 000000ed 00000000 016dfd10 ffffffc0 0020ada4 ffffffc0
[ 385.613192] fd00: 016d6000 ffffffc0 0020ad80 ffffffc0 016dfd40 ffffffc0 002063e8 ffffffc0
[ 385.613225] fd20: 0000200c ffffff80 016dfd70 ffffffc0 01cb1c00 ffffffc0 00002010 ffffff80
[ 385.613254] fd40: 016dfe90 ffffffc0 0020a5e8 ffffffc0 000f4240 00000000 be0bb558 ffffffc0
[ 385.613288] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000004 00000000 f9003000 ffffff80
[ 385.613317] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
[ 385.613345] fda0: ad0efa80 0034edce ffffffff 00ffffff 3b9aca00 00000000 00209800 ffffffc0
[ 385.613379] fdc0: 00000000 00000000 00000000 00000000 34c5d83d 00000000 00000000 00000000
[ 385.613406] fde0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.613438] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 00080c8c 00000000
[ 385.613465] fe20: 00000001 00000000 00000001 00000000 00000001 00000000 00000001 00000000
[ 385.613494] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
[ 385.613529] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0 00adf490 ffffffc0 60000045 00000000
[ 385.613558] fe80: 00205430 ffffffc0 40000000 00000040 016dfed0 ffffffc0 00adf5cc ffffffc0
[ 385.613585] fea0: be0bb558 ffffffc0 00000000 00000000 01a47000 ffffffc0 01fdd000 ffffffc0
[ 385.613619] fec0: 01953f38 ffffffc0 002a5598 00000001 016dff20 ffffffc0 0020b6ac ffffffc0
[ 385.613648] fee0: 01c525b8 ffffffc0 01c585d8 ffffffc0 01a47000 ffffffc0 00ec6000 ffffffc0
[ 385.613683] ff00: 01a463cb ffffffc0 014b9858 ffffffc0 40200000 00000000 00ec6000 ffffffc0
[ 385.613711] ff20: 016dff30 ffffffc0 002a5618 ffffffc0 016dff80 ffffffc0 00e74184 ffffffc0
[ 385.613740] ff40: 00000002 00000000 016bee08 ffffffc0 01a4d000 ffffffc0 be1bbac0 ffffffc0
[ 385.613774] ff60: 016bee08 ffffffc0 40000000 00000000 40200000 00000000 40202000 00000000
[ 385.613802] ff80: 016dffa0 ffffffc0 01670808 ffffffc0 01c89000 ffffffc0 01670800 ffffffc0
[ 385.613838] ffa0: 00000000 00000000 40205210 00000000 43e77c88 00000000 00000e11 00000000
[ 385.613866] ffc0: 4a000000 00000000 410fd032 00000000 416e9dd8 00000000 00000000 00000000
[ 385.613894] ffe0: 00000000 00000000 016bee08 ffffffc0 00000000 00000000 00000000 00000000
[ 385.613912] Call trace:
[ 385.613947] [<ffffffc0008c21a0>] dhd_bus_clean_flow_ring+0xb0/0xf8
[ 385.613974] [<ffffffc0008c294c>] dhd_bus_flow_ring_delete_response+0xa4/0x138
[ 385.614004] [<ffffffc0008c8fb4>] dhd_prot_process_flow_ring_delete_response+0x3c/0x78
[ 385.614031] [<ffffffc0008cab04>] dhd_prot_process_msgtype+0x14c/0x5a8
[ 385.614055] [<ffffffc0008d0018>] dhd_prot_process_msgbuf_txcpl+0x1c8/0x3f0
[ 385.614085] [<ffffffc0008ba23c>] dhdpcie_bus_process_mailbox_intr+0x1f4/0x518
[ 385.614111] [<ffffffc0008c1b90>] dhd_bus_dpc+0x160/0x260
[ 385.614142] [<ffffffc0008302e8>] dhd_dpc+0x28/0x98
[ 385.614173] [<ffffffc000244818>] tasklet_action+0x90/0x1e0
[ 385.614199] [<ffffffc00024503c>] __do_softirq+0x144/0x3e0
[ 385.614226] [<ffffffc000245838>] irq_exit+0x108/0x130
[ 385.614254] [<ffffffc00020ada0>] handle_IRQ+0x58/0xc8
[ 385.614297] [<ffffffc0002063e4>] gic_handle_irq+0x3c/0x88
[ 385.614319] Exception stack(0xffffffc0016dfd50 to 0xffffffc0016dfe70)
[ 385.614344] fd40: 000f4240 00000000 be0bb558 ffffffc0
[ 385.614372] fd60: 016dfe90 ffffffc0 00adf490 ffffffc0 00000004 00000000 f9003000 ffffff80
[ 385.614405] fd80: 01c525b8 ffffffc0 00000003 00000000 01cbb9a0 ffffffc0 00000018 00000000
[ 385.614433] fda0: ad0efa80 0034edce ffffffff 00ffffff 3b9aca00 00000000 00209800 ffffffc0
[ 385.614467] fdc0: 00000000 00000000 00000000 00000000 34c5d83d 00000000 00000000 00000000
[ 385.614494] fde0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 385.614521] fe00: ffffffff 00000000 000f4240 00000000 be0bb558 ffffffc0 00080c8c 00000000
[ 385.614555] fe20: 00000001 00000000 00000001 00000000 00000001 00000000 00000001 00000000
[ 385.614583] fe40: 40202000 00000000 00205430 ffffffc0 40000000 00000040 016dfe90 ffffffc0
[ 385.614608] fe60: 00adf48c ffffffc0 016dfe90 ffffffc0
[ 385.614637] [<ffffffc00020a5e4>] el1_irq+0x64/0xd4
[ 385.614672] [<ffffffc000adf5c8>] cpuidle_idle_call+0xc0/0x278
[ 385.614697] [<ffffffc00020b6a8>] arch_cpu_idle+0x8/0x20
[ 385.614736] [<ffffffc0002a5614>] cpu_startup_entry+0xcc/0x280
[ 385.614770] [<ffffffc000e74180>] rest_init+0x80/0x90
[ 385.614803] [<ffffffc001670804>] start_kernel+0x314/0x32c
[ 385.614836] Code: a94002a2 52800041 390106a1 aa1703e1 (f9000002)
[ 385.614979] ---[ end trace 7a106c4f8760a982 ]---CVE-2018-14855
A simple heap overflow checking mechanism (allocates selected objects right before a NON-PRESENT page) was used to produce the crash
[ 100.646256] ------------[ cut here ]------------
[ 100.646269] Kernel BUG at ffffffc0008aac18 [verbose debug info unavailable]
[ 100.646284] Internal error: Oops - BUG: 96000007 [#1] PREEMPT SMP
[ 100.646301] Modules linked in:
[ 100.646318] exynos-snapshot: core register saved(CPU:0)
[ 100.646330] CPUMERRSR: 0000000000000000, L2MERRSR: 0000000000000000
[ 100.646343] exynos-snapshot: context saved(CPU:0)
[ 100.646417] exynos-snapshot: item - log_kevents is disabled
[ 100.646471] CPU: 0 PID: 5032 Comm: dmesg Tainted: G W 3.10.61-TeamNexus-gb11c661e30ff-dirty #891
[ 100.646490] task: ffffffc0ba76c440 ti: ffffffc07db08000 task.ti: ffffffc07db08000
[ 100.646520] PC is at dhd_bus_flow_ring_flush_response+0x68/0xf8
[ 100.646536] LR is at dhd_bus_flow_ring_flush_response+0x68/0xf8
[ 100.646551] pc : [<ffffffc0008aac18>] lr : [<ffffffc0008aac18>] pstate: 40000045
[ 100.646563] sp : ffffffc07db0bb70
[ 100.646577] x29: ffffffc07db0bb70 x28: 0000000000000000
[ 100.646594] x27: ffffffc00153c000 x26: ffffffc0958b0000
[ 100.646607] x25: ffffffc095888000 x24: ffffffc0b1c09f80
[ 100.646621] x23: 0000000000000010 x22: ffffff80000185d0
[ 100.646634] x21: ffffffc0a06c8000 x20: 000000000000002a
[ 100.646647] x19: ffffffc054e02000 x18: 000000000000000a
[ 100.646660] x17: 0000007fa2c349a8 x16: 0000007fa2cdc238
[ 100.646673] x15: 0000000000000001 x14: 0000000000000002
[ 100.646686] x13: 00000000000013a8 x12: 0000000000000004
[ 100.646699] x11: ffffffc081a324ee x10: ffffffc001a32504
[ 100.646712] x9 : 7f7f7f7f7f7f7f7f x8 : 666666662065646f
[ 100.646726] x7 : 6e5f676e69725f77 x6 : ffffffc001a3254e
[ 100.646739] x5 : 00000000000000c0 x4 : 0000000000000007
[ 100.646751] x3 : 0000000000000000 x2 : 0000000000000007
[ 100.646764] x1 : 0000000000000100 x0 : 0000000000000044
[ 100.646779]
[ 100.646779] PC: 0xffffffc0008aab98:
[ 100.646798] ab98 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 d503201f a9bd7bfd 910003fd
[ 100.646823] abb8 a90153f3 2a0203f3 f90013f5 12003c34 aa0003f5 97e8adf7 35000513 97e8adf5
[ 100.646846] abd8 52800d13 2a1403e1 b0006480 91280000 9416ef21 b94ef2a1 b0006480 9128e000
[ 100.646868] abf8 9416ef1d f94002a1 b0006480 9129c000 f9573821 9bb30693 aa1303e1 9416ef16
[ 100.646890] ac18 79408660 6b14001f 54000181 97e8ade1 39410661 b0006480 912ac000 9416ef0e
[ 100.646912] ac38 3901067f 97e8addb f94013f5 a94153f3 a8c37bfd d65f03c0 97e8add6 90006481
[ 100.646934] ac58 b0006480 52828822 91212021 9122a000 97fe79c2 17ffffee 97e8adce d0003441
[ 100.646957] ac78 911aa021 2a1303e2 910b6021 b0006480 91272000 9416eef8 97e8adc6 f94013f5
[ 100.646982]
[ 100.646982] LR: 0xffffffc0008aab98:
[ 100.647001] ab98 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 d503201f a9bd7bfd 910003fd
[ 100.647023] abb8 a90153f3 2a0203f3 f90013f5 12003c34 aa0003f5 97e8adf7 35000513 97e8adf5
[ 100.647045] abd8 52800d13 2a1403e1 b0006480 91280000 9416ef21 b94ef2a1 b0006480 9128e000
[ 100.647066] abf8 9416ef1d f94002a1 b0006480 9129c000 f9573821 9bb30693 aa1303e1 9416ef16
[ 100.647088] ac18 79408660 6b14001f 54000181 97e8ade1 39410661 b0006480 912ac000 9416ef0e
[ 100.647110] ac38 3901067f 97e8addb f94013f5 a94153f3 a8c37bfd d65f03c0 97e8add6 90006481
[ 100.647132] ac58 b0006480 52828822 91212021 9122a000 97fe79c2 17ffffee 97e8adce d0003441
[ 100.647154] ac78 911aa021 2a1303e2 910b6021 b0006480 91272000 9416eef8 97e8adc6 f94013f5
[ 100.647179]
[ 100.647179] SP: 0xffffffc07db0baf0:
[ 100.647198] baf0 0000002a 00000000 a06c8000 ffffffc0 000185d0 ffffff80 00000010 00000000
[ 100.647220] bb10 b1c09f80 ffffffc0 95888000 ffffffc0 958b0000 ffffffc0 0153c000 ffffffc0
[ 100.647242] bb30 00000000 00000000 7db0bb70 ffffffc0 008aac18 ffffffc0 7db0bb70 ffffffc0
[ 100.647263] bb50 008aac18 ffffffc0 40000045 00000000 01a3253c ffffffc0 5f687375 70736572
[ 100.647285] bb70 7db0bba0 ffffffc0 008b0020 ffffffc0 000185d0 ffffff80 958b0000 ffffffc0
[ 100.647307] bb90 00000010 00000000 00000010 00000000 7db0bbc0 ffffffc0 008afe80 ffffffc0
[ 100.647329] bbb0 00000010 00000000 00000010 00000000 7db0bc60 ffffffc0 008b571c ffffffc0
[ 100.647352] bbd0 00000010 00000000 b1c09f80 ffffffc0 958b0000 ffffffc0 000185d0 ffffff80
[ 100.647378]
[ 100.647378] X6: 0xffffffc001a324ce:
[ 100.647397] 24cc 00000000 00000000 00000000 00000001 00000000 30303020 32303330 39333730
[ 100.647419] 24ec 20205d39 203a305b 20202020 20202020 656d6420 203a6773 32333035 3432205d
[ 100.647440] 250c 30206330 34362e30 38373337 5b49205d 20203a30 20202020 20202020 73656d64
[ 100.647462] 252c 35203a67 5d323330 3a365820 66783020 66666666 30306366 32336131 3a656334
[ 100.647483] 254c 0a0a350a 31316267 31363663 66303365 69642d66 20797472 31393823 302b650a
[ 100.647505] 256c 2f633178 38337830 64646120 78303d72 66666666 30386666 31303030 61643538
[ 100.647527] 258c 7463202c 78303d78 31396233 5f630a30 30203a54 6170202c 64657373 203a545f
[ 100.647549] 25ac 202c3036 6c6c7566 203a545f 202c3036 5f676863 5f646e65 30203a54 6572202c
[ 100.647572] 25cc 3a746e63 202c3020 64736963 7830203a 68300a30 6233312c 312c6837 68303034
[ 100.647596]
[ 100.647596] X10: 0xffffffc001a32484:
[ 100.647616] 2484 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.647637] 24a4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.647659] 24c4 00000000 00000000 00000000 00000000 00000000 00000001 00000000 30303020
[ 100.647680] 24e4 362e3030 38363730 20205d30 203a305b 20202020 20202020 656d6420 203a6773
[ 100.647702] 2504 32333035 3532205d 30203430 34362e30 36393537 5b49205d 20203a30 20202020
[ 100.647723] 2524 20202020 73656d64 35203a67 5d323330 30315820 7830203a 66666666 30636666
[ 100.647745] 2544 33613130 34383432 0a0a0a3a 31316267 31363663 66303365 69642d66 20797472
[ 100.647767] 2564 31393823 302b650a 2f633178 38337830 64646120 78303d72 66666666 30386666
[ 100.647791]
[ 100.647791] X11: 0xffffffc081a3246e:
[ 100.647810] 246c f9000be1 f9427e7e d63f03c0 f9000be1 f9427e7e d63f03c0 f9000be0 5280f360
[ 100.647834] 248c f941127e d63f03c0 2a0003e1 f9400be0 17ffffc4 a90107e0 aa0103e0 aa0203e1
[ 100.647855] 24ac f941067e d63f03c0 a94107e0 17ffffc1 f9000be0 f9427e7e d63f03c0 f9000be1
[ 100.647878] 24cc f9427e7e d63f03c0 f9426a7e d63f03c0 17ffff9d 007aedaf 00000050 40700000
[ 100.647899] 24ec 00000000 000000c0 d1400bf0 b940021f f81b0fe0 a90357f4 a9047bf6 b9005be1
[ 100.647922] 250c b9005fe2 79400270 35000410 aa0103e0 aa0203f4 aa0003f5 f941a67e d63f03c0
[ 100.647943] 252c b9400ea1 340003c1 aa1403e2 aa0103f6 d2914271 b9400020 f9404400 f940fc00
[ 100.647965] 254c f940181e d63f03c0 14000009 b9408a74 b9008a7f b9405be0 f941aa7e d63f03c0
[ 100.647987] 256c aa1403e0 f9426e7e d63f03c0 b9405be0 f941aa7e d63f03c0 a94357f4 a9447bf6
[ 100.648015]
[ 100.648015] X19: 0xffffffc054e01f80:
[ 100.648034] 1f80 00007dea 00000000 90e0ee00 ffffffc0 6077da00 ffffffc0 a06c8010 ffffffc0
[ 100.648057] 1fa0 54e01f30 ffffffc0 54e01fa8 ffffffc0 54e01fa8 ffffffc0 00000000 00000000
[ 100.648079] 1fc0 00000000 00000000 07ff0000 00000000 008ada10 ffffffc0 00290001 50e80007
[ 100.648101] 1fe0 7dea798b 439c2500 00003f8f 00000000 7cee3880 ffffffc0 605debc0 ffffffc0
[ 100.648122] 2000
[ 100.648835]
[ 100.648835] X21: 0xffffffc0a06c7f80:
[ 100.648854] 7f80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.648877] 7fa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.648898] 7fc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.648919] 7fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.648941] 8000 958b0000 ffffffc0 a00cd800 ffffffc0 54e01f30 ffffffc0 54e01f98 ffffffc0
[ 100.648964] 8020 5f656b00 ffffffc0 89171000 ffffffc0 00000d7d 00000000 0d280000 ffffff80
[ 100.648986] 8040 00000006 00000000 000c0000 000c0000 00000000 00000000 00000000 00000001
[ 100.649008] 8060 958b2fb0 ffffffc0 958b3fb0 ffffffc0 00000000 00000000 00000000 00000000
[ 100.649032]
[ 100.649032] X24: 0xffffffc0b1c09f00:
[ 100.649051] 9f00 00040001 72683264 6c706378 00000000 00000000 00000000 00000000 00000000
[ 100.649074] 9f20 00016000 ffffff80 f9a0a000 00000000 00000000 00000000 00000000 00000000
[ 100.649095] 9f40 00000000 00000000 9dd78480 ffffffc0 9dd78d80 ffffffc0 00000152 00000000
[ 100.649117] 9f60 00000000 00000000 00000000 00000000 00000000 00000000 00000007 00000000
[ 100.649138] 9f80 00030001 74683264 6c706378 00000000 00000000 00000000 00000000 00000000
[ 100.649160] 9fa0 00018000 ffffff80 f9a0c000 00000000 00000000 00000000 00000000 00000000
[ 100.649182] 9fc0 00000000 00000000 9dd78c00 ffffffc0 9dd78140 ffffffc0 0000015c 00000000
[ 100.649205] 9fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649228]
[ 100.649228] X25: 0xffffffc095887f80:
[ 100.649247] 7f80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649269] 7fa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649290] 7fc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649312] 7fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649333] 8000 b1c05400 ffffffc0 00000000 00000055 00000000 00ff00ec 00080008 00080008
[ 100.649355] 8020 02000002 00000030 b1c05d00 ffffffc0 b1c05b00 ffffffc0 b1c05e00 ffffffc0
[ 100.649377] 8040 b1c09f80 ffffffc0 b1c09f00 ffffffc0 b1c09e00 ffffffc0 00000000 00000000
[ 100.649400] 8060 0001c000 ffffff80 f9a10000 00000000 00000000 00000000 00020000 ffffff80
[ 100.649424]
[ 100.649424] X26: 0xffffffc0958aff80:
[ 100.649443] ff80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649465] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649487] ffc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649508] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649530] 0000 b1c05400 ffffffc0 a06c8000 ffffffc0 95888000 ffffffc0 958b0000 ffffffc0
[ 100.649552] 0020 00000001 006f006f 00000000 00000002 00000000 00000000 000005ea 00000100
[ 100.649574] 0040 00000000 00000000 798b50e8 00007dea 00000000 00000000 00000000 00000000
[ 100.649596] 0060 00012a7a 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 100.649620]
[ 100.649620] X27: 0xffffffc00153bf80:
[ 100.649639] bf80 69766564 65206563 656d756e 65746172 000a2164 00000000 203a7325 70646864
[ 100.649662] bfa0 20656963 74696e69 696c6169 6620657a 656c6961 000a2e64 70646864 3a656963
[ 100.649684] bfc0 00007325 00000000 203a7325 75716572 5f747365 28717269 61662029 64656c69
[ 100.649707] bfe0 0000000a 00000000 203a7325 20494350 20515249 61207369 6165726c 72207964
[ 100.649729] c000 73696765 65726574 00000a64 00000000 203a7325 6e6e6143 6520746f 6c62616e
[ 100.649751] c020 43502065 65642049 65636976 0000000a 203a7325 31524142 746f4e20 616e6520
[ 100.649773] c040 64656c62 726f6620 69687420 65642073 65636976 69732020 2528657a 2c29646c
[ 100.649795] c060 64646120 78302872 30257830 6c6c3631 000a2978 00000000 693a7325 6d65726f
[ 100.649820]
[ 100.649820] X29: 0xffffffc07db0baf0:
[ 100.649839] baf0 0000002a 00000000 a06c8000 ffffffc0 000185d0 ffffff80 00000010 00000000
[ 100.649861] bb10 b1c09f80 ffffffc0 95888000 ffffffc0 958b0000 ffffffc0 0153c000 ffffffc0
[ 100.649883] bb30 00000000 00000000 7db0bb70 ffffffc0 008aac18 ffffffc0 7db0bb70 ffffffc0
[ 100.649905] bb50 008aac18 ffffffc0 40000045 00000000 01a3253c ffffffc0 5f687375 70736572
[ 100.649927] bb70 7db0bba0 ffffffc0 008b0020 ffffffc0 000185d0 ffffff80 958b0000 ffffffc0
[ 100.649949] bb90 00000010 00000000 00000010 00000000 7db0bbc0 ffffffc0 008afe80 ffffffc0
[ 100.649970] bbb0 00000010 00000000 00000010 00000000 7db0bc60 ffffffc0 008b571c ffffffc0
[ 100.649992] bbd0 00000010 00000000 b1c09f80 ffffffc0 958b0000 ffffffc0 000185d0 ffffff80
[ 100.650014]
[ 100.650028] Process dmesg (pid: 5032, stack limit = 0xffffffc07db08058)
[ 100.650044] Stack: (0xffffffc07db0bb70 to 0xffffffc07db0c000)
[ 100.650060] bb60: 7db0bba0 ffffffc0 008b0020 ffffffc0
[ 100.650078] bb80: 000185d0 ffffff80 958b0000 ffffffc0 00000010 00000000 00000010 00000000
[ 100.650095] bba0: 7db0bbc0 ffffffc0 008afe80 ffffffc0 00000010 00000000 00000010 00000000
[ 100.650113] bbc0: 7db0bc60 ffffffc0 008b571c ffffffc0 00000010 00000000 b1c09f80 ffffffc0
[ 100.650130] bbe0: 958b0000 ffffffc0 000185d0 ffffff80 95888000 ffffffc0 9dd78c00 ffffffc0
[ 100.650148] bc00: 00000400 00000000 00000000 00000000 958b2000 ffffffc0 0000005e 00000000
[ 100.650166] bc20: 958b2000 ffffffc0 00000010 00000000 0153cab8 ffffffc0 008afff8 ffffffc0
[ 100.650185] bc40: 000185d0 ffffff80 008b5588 00000010 00f34c88 ffffffc0 00f34c58 ffffffc0
[ 100.650202] bc60: 7db0bce0 ffffffc0 008a4100 ffffffc0 a06c8010 ffffffc0 a06c8000 ffffffc0
[ 100.650220] bc80: 01916a10 ffffffc0 958b0000 ffffffc0 a06c8010 ffffffc0 00000000 00000000
[ 100.650238] bca0: 016c20b0 ffffffc0 01a26000 ffffffc0 01c33000 ffffffc0 00000001 00000000
[ 100.650256] bcc0: a06c8010 ffffffc0 00f34fa8 ffffffc0 0153c7e8 ffffffc0 00f34fc8 00000040
[ 100.650274] bce0: 7db0bd30 ffffffc0 008a997c ffffffc0 a06c8000 ffffffc0 00000001 00000000
[ 100.650292] bd00: 5f656b00 ffffffc0 016b4d68 ffffffc0 01a26a40 ffffffc0 016b4d68 ffffffc0
[ 100.650310] bd20: 01a26a40 ffffffc0 00000000 00000000 7db0bd60 ffffffc0 00829084 ffffffc0
[ 100.650328] bd40: 958b0000 ffffffc0 a06c8000 ffffffc0 00000000 00000000 01a2e758 ffffffc0
[ 100.650346] bd60: 7db0bd80 ffffffc0 0024450c ffffffc0 958b5040 ffffffc0 958b5048 ffffffc0
[ 100.650364] bd80: 7db0bdc0 ffffffc0 00244d30 ffffffc0 00000006 00000000 00000100 00000000
[ 100.650381] bda0: 016b4fc8 ffffffc0 00000006 00000000 016c2000 ffffffc0 01a26000 ffffffc0
[ 100.650399] bdc0: 7db0be50 ffffffc0 0024552c ffffffc0 000000c0 00000000 000000ed 00000000
[ 100.650416] bde0: 00000000 00000000 6ec56e03 00000017 80000000 00000000 00000001 00000000
[ 100.650434] be00: f855a438 0000007f 00000002 00000000 00000001 00000000 7db08000 ffffffc0
[ 100.650452] be20: 7db0be30 ffffffc0 016d08f0 ffffffc0 ffffb220 00000000 00404000 0000000a
[ 100.650470] be40: 016b4e10 ffffffc0 000000ed 00000000 7db0be70 ffffffc0 0020ada4 ffffffc0
[ 100.650488] be60: 016b6000 ffffffc0 0020ad80 ffffffc0 7db0bea0 ffffffc0 002063e8 ffffffc0
[ 100.650506] be80: 0000200c ffffff80 7db0bed0 ffffffc0 01c92c40 ffffffc0 00002010 ffffff80
[ 100.650524] bea0: f855a410 0000007f 0020aa90 ffffffc0 00000000 00000000 f855a438 0000007f
[ 100.650542] bec0: ffffffff ffffffff a2c34a20 0000007f a281c069 0000007f 724460f6 00000055
[ 100.650559] bee0: 00000001 00000000 724460e0 00000055 724460f7 00000055 a281c06a 0000007f
[ 100.650577] bf00: 00000040 00000000 00000066 00000000 00000001 00000000 ffffff97 00000000
[ 100.650594] bf20: a281c000 0000007f 000013a8 00000000 0ccccccc 00000000 8000002f 00000000
[ 100.650613] bf40: a2cc0fd8 0000007f a2cc0c7c 0000007f a2cdc238 0000007f a2c349a8 0000007f
[ 100.650630] bf60: ffffffff 00000000 a2cde730 0000007f f855a438 0000007f 724460f6 00000055
[ 100.650648] bf80: 00000001 00000000 00000001 00000000 00000001 00000000 f855a438 0000007f
[ 100.650665] bfa0: 00000002 00000000 00000001 00000000 00000000 00000000 f855a410 0000007f
[ 100.650683] bfc0: a2c731a8 0000007f f855a3c0 0000007f a2c34a20 0000007f 80000000 00000000
[ 100.650700] bfe0: 00000003 00000000 ffffffff ffffffff ff000000 ff000000 ff000000 ff000000
[ 100.650713] Call trace:
[ 100.650733] [<ffffffc0008aac18>] dhd_bus_flow_ring_flush_response+0x68/0xf8
[ 100.650754] [<ffffffc0008b001c>] dhd_prot_process_flow_ring_flush_response+0x24/0x38
[ 100.650771] [<ffffffc0008afe7c>] dhd_prot_process_msgtype+0x29c/0x418
[ 100.650790] [<ffffffc0008b5718>] dhd_prot_process_msgbuf_txcpl+0x138/0x2b0
[ 100.650808] [<ffffffc0008a40fc>] dhdpcie_bus_process_mailbox_intr+0x1f4/0x360
[ 100.650824] [<ffffffc0008a9978>] dhd_bus_dpc+0x158/0x220
[ 100.650847] [<ffffffc000829080>] dhd_dpc+0x28/0x98
[ 100.650868] [<ffffffc000244508>] tasklet_action+0x90/0x1e0
[ 100.650886] [<ffffffc000244d2c>] __do_softirq+0x144/0x3e0
[ 100.650902] [<ffffffc000245528>] irq_exit+0x108/0x130
[ 100.650921] [<ffffffc00020ada0>] handle_IRQ+0x58/0xc8
[ 100.650937] [<ffffffc0002063e4>] gic_handle_irq+0x3c/0x88
[ 100.650951] Exception stack(0xffffffc07db0beb0 to 0xffffffc07db0bfd0)
[ 100.650966] bea0: 00000000 00000000 f855a438 0000007f
[ 100.650984] bec0: ffffffff ffffffff a2c34a20 0000007f a281c069 0000007f 724460f6 00000055
[ 100.651001] bee0: 00000001 00000000 724460e0 00000055 724460f7 00000055 a281c06a 0000007f
[ 100.651018] bf00: 00000040 00000000 00000066 00000000 00000001 00000000 ffffff97 00000000
[ 100.651036] bf20: a281c000 0000007f 000013a8 00000000 0ccccccc 00000000 8000002f 00000000
[ 100.651054] bf40: a2cc0fd8 0000007f a2cc0c7c 0000007f a2cdc238 0000007f a2c349a8 0000007f
[ 100.651071] bf60: ffffffff 00000000 a2cde730 0000007f f855a438 0000007f 724460f6 00000055
[ 100.651088] bf80: 00000001 00000000 00000001 00000000 00000001 00000000 f855a438 0000007f
[ 100.651105] bfa0: 00000002 00000000 00000001 00000000 00000000 00000000 f855a410 0000007f
[ 100.651120] bfc0: a2c731a8 0000007f f855a3c0 0000007f
[ 100.651137] Code: f9573821 9bb30693 aa1303e1 9416ef16 (79408660)
[ 100.651157] ---[ end trace 6e37f9efafafef6f ]---In-Depth Analysis
Exploiting the out of bound array access into flow ring array
We found several vulnerabilities relating to the access of an array of pointers to 'flow ring' data structures which are allocated by the bcmdhd4358 WiFi driver. The vulnerabilities occur on several locations within the bcmdhd4358 driver code where the index into the flow ring array (called flowid) is obtained directly from data provided by the WiFi peripheral and not validated. We discovered that this was the case in the following functions:
dhd_pcie.c:dhd_bus_flow_ring_create_response (CVE-2018-14856)dhd_pcie.c:dhd_bus_flow_ring_delete_response (CVE-2018-14854)dhd_pcie.c:dhd_bus_flow_ring_flush_response (CVE-2018-14855)
Each of these functions receives the flowid as a parameter which is under direct attacker control and uses it to extract an entry from the flow ring array using the macro DHD_FLOW_RING. The code contains ASSERT macros which compare the flowid field of the dereferenced data structure with the attacker controlled value of flowid. However a mismatch will only generate a warning message and not lead to alter the program behaviour otherwise.
#define DHD_FLOW_RING(dhdp, flowid) \
(flow_ring_node_t *)&(((flow_ring_node_t*) \
((dhdp)->flow_ring_table))[flowid])
The function dhd_bus_flow_ring_flush_response first dereferences the pointer obtained from the flow ring array at offset flowid as a variable of the type flow_ring_node_t and then proceeds to set the 1 byte long status field of the dereferenced flow_ring_node_t structure to the constant FLOW_RING_STATUS_OPEN which is zero.
void
dhd_bus_flow_ring_flush_response(dhd_bus_t *bus, uint16 flowid, uint32 status)
{
flow_ring_node_t *flow_ring_node;
if (status != BCME_OK) {
DHD_ERROR(("%s Flow flush Response failure error status = %d \n",
__FUNCTION__, status));
return;
}
// XXX flowid not validated
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
ASSERT(flow_ring_node->flowid == flowid);
// XXX overwrite one byte with 0
flow_ring_node->status = FLOW_RING_STATUS_OPEN;
return;
}
An attacker can use this to zero an arbitrary byte of kernel memory. To that end he has to find a value for flowid so that the flow ring array base address plus the flowid * sizeof(flow_ring_node_t) points to a memory area containing the byte that the attacker wishes to modify.
The function dhd_bus_flow_ring_create_response also first dereferences the pointer obtained from the flow ring array at offset flowid as a variable of the type flow_ring_node_t. The dereferenced data structure contains a field named lock of type void* which is then passed to the function dhd_os_spin_lock which either passes the pointer on to the kernel function spin_lock_irqsave, or does nothing if the lock pointer is zero.
The function dhd_bus_flow_ring_create_response then overwrites the status byte of the dereferenced flow_ring_node_t structure as described in the previous paragraph. Finally the function calls dhd_os_spin_unlock on the lock pointer.
This vulnerability is potentially more severe compared to the vulnerability described before since it allows an attacker to trigger
the execution of the spin_lock_irqsave and spin_unlock_irqrestore call chains on arbitrary kernel memory, however we did not investigate this further since the capability to zero a byte at an arbitrary address already was sufficient reason to patch the underlying cause of the vulnerability.
void
dhd_bus_flow_ring_create_response(dhd_bus_t *bus, uint16 flowid, int32 status)
{
flow_ring_node_t *flow_ring_node;
unsigned long flags;
DHD_INFO(("%s :Flow Response %d \n", __FUNCTION__, flowid));
// XXX flowid not validated
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
ASSERT(flow_ring_node->flowid == flowid);
if (status != BCME_OK) {
DHD_ERROR(("%s Flow create Response failure error status = %d \n",
__FUNCTION__, status));
/* Call Flow clean up */
dhd_bus_clean_flow_ring(bus, flow_ring_node);
return;
}
// XXX lock is passed to dhd_os_spin_lock
DHD_FLOWRING_LOCK(flow_ring_node->lock, flags);
// XXX overwrite one byte with 0
flow_ring_node->status = FLOW_RING_STATUS_OPEN;
// XXX lock is passed to dhd_os_spin_unlock
DHD_FLOWRING_UNLOCK(flow_ring_node->lock, flags);
dhd_bus_schedule_queue(bus, flowid, FALSE);
return;
}
Both of the functions dhd_bus_flow_ring_create_response and dhd_bus_flow_ring_delete_response pass the flow_ring_node pointer to the function dhd_bus_clean_flow_ring, which accesses the dereferenced memory in the following ways:
- Obtains the field
lockfrom the dereferenced data structure and passes it todhd_os_spin_lockanddhd_os_spin_unlock - Obtains the field
queuefrom the dereferenced data structure and passes it todhd_flow_queue_dequeue - Overwrites the field
statusof the dereferenced data structure with the value zero - Overwrites the field
activeof the dereferenced data structure with the value zero - ...
void
dhd_bus_flow_ring_delete_response(dhd_bus_t *bus, uint16 flowid, uint32 status)
{
flow_ring_node_t *flow_ring_node;
DHD_INFO(("%s :Flow Delete Response %d \n", __FUNCTION__, flowid));
// XXX flowid not validated
flow_ring_node = DHD_FLOW_RING(bus->dhd, flowid);
ASSERT(flow_ring_node->flowid == flowid);
if (status != BCME_OK) {
DHD_ERROR(("%s Flow Delete Response failure error status = %d \n",
__FUNCTION__, status));
return;
}
/* Call Flow clean up */
dhd_bus_clean_flow_ring(bus, flow_ring_node);
return;
}
void dhd_bus_clean_flow_ring(dhd_bus_t *bus, void *node)
{
void *pkt;
flow_queue_t *queue;
flow_ring_node_t *flow_ring_node = (flow_ring_node_t *)node;
unsigned long flags;
queue = &flow_ring_node->queue;
#ifdef DHDTCPACK_SUPPRESS
/* Clean tcp_ack_info_tbl in order to prevent access to flushed pkt,
* when there is a newly coming packet from network stack.
*/
dhd_tcpack_info_tbl_clean(bus->dhd);
#endif /* DHDTCPACK_SUPPRESS */
/* clean up BUS level info */
DHD_FLOWRING_LOCK(flow_ring_node->lock, flags);
/* Flush all pending packets in the queue, if any */
while ((pkt = dhd_flow_queue_dequeue(bus->dhd, queue)) != NULL) {
PKTFREE(bus->dhd->osh, pkt, TRUE);
}
ASSERT(flow_queue_empty(queue));
flow_ring_node->status = FLOW_RING_STATUS_CLOSED;
flow_ring_node->active = FALSE;
dll_delete(&flow_ring_node->list);
DHD_FLOWRING_UNLOCK(flow_ring_node->lock, flags);
/* Call Flow ring clean up */
dhd_prot_clean_flow_ring(bus->dhd, flow_ring_node->prot_info);
dhd_flowid_free(bus->dhd, flow_ring_node->flow_info.ifindex,
flow_ring_node->flowid);
}