In the Linux kernel, the following vulnerability has been resolved:
cpufreq: qcom: fix writes in read-only memory region
This commit fixes a kernel oops because of a write in some read-only memory:
[ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8
..snip..
[ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP
..snip..
[ 9.269161] Call trace:
[ 9.276271] __memcpy+0x5c/0x230
[ 9.278531] snprintf+0x58/0x80
[ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190
[ 9.284869] qcom_cpufreq_probe+0xc8/0x39c
..snip..
The following line defines a pointer that point to a char buffer stored in read-only memory:
char *pvs_name = speedXX-pvsXX-vXX;
This pointer is meant to hold a template speedXX-pvsXX-vXX where the XX values get overridden by the qcom_cpufreq_krait_name_version function. Since the template is actually stored in read-only memory, when the function executes the following call we get an oops:
snprintf(*pvs_name, sizeof(speedXX-pvsXX-vXX), speed%d-pvs%d-v%d,
speed, pvs, pvs_ver);
To fix this issue, we instead store the template name onto the stack by using the following syntax:
char pvs_name_buffer[] = speedXX-pvsXX-vXX;
Because the pvs_name needs to be able to be assigned to NULL, the
template buffer is stored in the pvs_name_buffer and not under the
pvs_name variable.