From: Luca Coelho <luca@coelho.fi>
To: kvalo@kernel.org
Cc: luca@coelho.fi, linux-wireless@vger.kernel.org
Subject: [PATCH 06/10] iwlwifi: fix debug TLV parsing
Date: Fri, 10 Dec 2021 11:12:41 +0200 [thread overview]
Message-ID: <iwlwifi.20211210110539.84848da8067f.Ifb4f80c95d283ec62e495a7928069af711b5fee2@changeid> (raw)
In-Reply-To: <20211210091245.289008-1-luca@coelho.fi>
From: Johannes Berg <johannes.berg@intel.com>
Debug TLV parsing was missing size checks, so if a valid but
too short TLV was encountered, it would attempt to read it.
If the firmware file was arranged to be a multiple of pages
long with this happening just before the end, it could crash
reading out-of-bounds of a vmalloc area.
Fix this by adding the relevant size check.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
index a8ebc26d1da1..c2fbda2ffe7e 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
@@ -300,14 +300,21 @@ static int (*dbg_tlv_alloc[])(struct iwl_trans *trans,
void iwl_dbg_tlv_alloc(struct iwl_trans *trans, const struct iwl_ucode_tlv *tlv,
bool ext)
{
- const struct iwl_fw_ini_header *hdr = (const void *)&tlv->data[0];
- u32 type = le32_to_cpu(tlv->type);
- u32 tlv_idx = type - IWL_UCODE_TLV_DEBUG_BASE;
- u32 domain = le32_to_cpu(hdr->domain);
enum iwl_ini_cfg_state *cfg_state = ext ?
&trans->dbg.external_ini_cfg : &trans->dbg.internal_ini_cfg;
+ const struct iwl_fw_ini_header *hdr = (const void *)&tlv->data[0];
+ u32 type;
+ u32 tlv_idx;
+ u32 domain;
int ret;
+ if (le32_to_cpu(tlv->length) < sizeof(*hdr))
+ return;
+
+ type = le32_to_cpu(tlv->type);
+ tlv_idx = type - IWL_UCODE_TLV_DEBUG_BASE;
+ domain = le32_to_cpu(hdr->domain);
+
if (domain != IWL_FW_INI_DOMAIN_ALWAYS_ON &&
!(domain & trans->dbg.domains_bitmap)) {
IWL_DEBUG_FW(trans,
--
2.34.1
next prev parent reply other threads:[~2021-12-10 9:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 9:12 [PATCH 00/10] iwlwifi: updates intended for v5.17 2021-12-10 part 2 Luca Coelho
2021-12-10 9:12 ` [PATCH 01/10] iwlwifi: parse error tables from debug TLVs Luca Coelho
2021-12-10 9:12 ` [PATCH 02/10] iwlwifi: dump CSR scratch from outer function Luca Coelho
2021-12-10 9:12 ` [PATCH 03/10] iwlwifi: dump both TCM error tables if present Luca Coelho
2021-12-10 9:12 ` [PATCH 04/10] iwlwifi: dump RCM error tables Luca Coelho
2021-12-10 9:12 ` [PATCH 05/10] iwlwifi: mvm: fix 32-bit build in FTM Luca Coelho
2021-12-13 10:49 ` Kalle Valo
2021-12-13 11:00 ` Luca Coelho
2021-12-14 5:55 ` Kalle Valo
2021-12-19 9:14 ` [PATCH v2 " Luca Coelho
2021-12-10 9:12 ` Luca Coelho [this message]
2021-12-10 9:12 ` [PATCH 07/10] iwlwifi: fix leaks/bad data after failed firmware load Luca Coelho
2021-12-10 9:12 ` [PATCH 08/10] iwlwifi: mvm: add support for OCE scan Luca Coelho
2021-12-10 9:12 ` [PATCH 09/10] iwlwifi: mvm: isolate offload assist (checksum) calculation Luca Coelho
2021-12-10 9:12 ` [PATCH 10/10] iwlwifi: remove module loading failure message Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=iwlwifi.20211210110539.84848da8067f.Ifb4f80c95d283ec62e495a7928069af711b5fee2@changeid \
--to=luca@coelho.fi \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.