linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Pontus Fuchs <pontus.fuchs@gmail.com>,
	Luciano Coelho <coelho@ti.com>
Subject: [08/42] wl12xx: Check buffer bound when processing nvs data
Date: Tue, 10 Jan 2012 13:48:18 -0800	[thread overview]
Message-ID: <20120110215021.586675377@clark.kroah.org> (raw)
In-Reply-To: <20120110215031.GA19398@kroah.com>

3.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pontus Fuchs <pontus.fuchs@gmail.com>

commit f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 upstream.

An nvs with malformed contents could cause the processing of the
calibration data to read beyond the end of the buffer. Prevent this
from happening by adding bound checking.

Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
Reviewed-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/wireless/wl12xx/boot.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/net/wireless/wl12xx/boot.c
+++ b/drivers/net/wireless/wl12xx/boot.c
@@ -358,6 +358,9 @@ static int wl1271_boot_upload_nvs(struct
 		nvs_ptr += 3;
 
 		for (i = 0; i < burst_len; i++) {
+			if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len)
+				goto out_badnvs;
+
 			val = (nvs_ptr[0] | (nvs_ptr[1] << 8)
 			       | (nvs_ptr[2] << 16) | (nvs_ptr[3] << 24));
 
@@ -369,6 +372,9 @@ static int wl1271_boot_upload_nvs(struct
 			nvs_ptr += 4;
 			dest_addr += 4;
 		}
+
+		if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
+			goto out_badnvs;
 	}
 
 	/*
@@ -380,6 +386,10 @@ static int wl1271_boot_upload_nvs(struct
 	 */
 	nvs_ptr = (u8 *)wl->nvs +
 			ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4);
+
+	if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
+		goto out_badnvs;
+
 	nvs_len -= nvs_ptr - (u8 *)wl->nvs;
 
 	/* Now we must set the partition correctly */
@@ -395,6 +405,10 @@ static int wl1271_boot_upload_nvs(struct
 
 	kfree(nvs_aligned);
 	return 0;
+
+out_badnvs:
+	wl1271_error("nvs data is malformed");
+	return -EILSEQ;
 }
 
 static void wl1271_boot_enable_interrupts(struct wl1271 *wl)



  parent reply	other threads:[~2012-01-10 23:00 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-10 21:50 [00/42] 3.1.9-stable review Greg KH
2012-01-10 21:48 ` [01/42] MAINTAINERS: stable: Update address Greg KH
2012-01-10 21:48 ` [02/42] Documentation: Update stable address Greg KH
2012-01-10 21:48 ` [03/42] firmware: Fix an oops on reading fw_priv->fw in sysfs loading file Greg KH
2012-01-10 21:48 ` [04/42] rt2800usb: Move ID out of unknown Greg KH
2012-01-10 21:48 ` [05/42] offb: Fix setting of the pseudo-palette for >8bpp Greg KH
2012-01-10 21:48 ` [06/42] offb: Fix bug in calculating requested vram size Greg KH
2012-01-10 21:48 ` [07/42] wl12xx: Validate FEM index from ini file and FW Greg KH
2012-01-10 21:48 ` Greg KH [this message]
2012-01-10 21:48 ` [09/42] wl12xx: Restore testmode ABI Greg KH
2012-01-10 21:48 ` [10/42] powerpc/time: Handle wrapping of decrementer Greg KH
2012-01-10 21:48 ` [11/42] powerpc: Fix unpaired probe_hcall_entry and probe_hcall_exit Greg KH
2012-01-10 21:48 ` [12/42] asix: new device id Greg KH
2012-01-10 21:48 ` [13/42] IB/qib: Fix a possible data corruption when receiving packets Greg KH
2012-01-10 21:48 ` [14/42] perf: Fix parsing of __print_flags() in TP_printk() Greg KH
2012-01-10 21:48 ` [15/42] reiserfs: Fix quota mount option parsing Greg KH
2012-01-10 21:48 ` [16/42] reiserfs: Force inode evictions before umount to avoid crash Greg KH
2012-01-10 21:48 ` [17/42] ext3: Dont warn from writepage when readonly inode is spotted after error Greg KH
2012-01-10 21:48 ` [18/42] USB: update documentation for usbmon Greg KH
2012-01-10 21:48 ` [19/42] atmel_serial: fix spinlock lockup in RS485 code Greg KH
2012-01-10 21:48 ` [20/42] cgroup: fix to allow mounting a hierarchy by name Greg KH
2012-01-10 21:48 ` [21/42] udf: Fix deadlock when converting file from in-ICB one to normal one Greg KH
2012-01-10 21:48 ` [22/42] drivers/usb/class/cdc-acm.c: clear dangling pointer Greg KH
2012-01-10 21:48 ` [23/42] USB: isight: fix kernel bug when loading firmware Greg KH
2012-01-10 21:48 ` [24/42] usb: usb-storage doesnt support dynamic id currently, the patch disables the feature to fix an oops Greg KH
2012-01-10 21:48 ` [25/42] USB: add quirk for another camera Greg KH
2012-01-10 21:48 ` [26/42] usb: musb: fix pm_runtime mismatch Greg KH
2012-01-10 21:48 ` [27/42] USB: omninet: fix write_room Greg KH
2012-01-10 21:48 ` [28/42] USB: Add USB-ID for Multiplex RC serial adapter to cp210x.c Greg KH
2012-01-10 21:48 ` [29/42] usb: fix number of mapped SG DMA entries Greg KH
2012-01-10 21:48 ` [30/42] xhci: Properly handle COMP_2ND_BW_ERR Greg KH
2012-01-10 21:48 ` [31/42] USB: option: add id for 3G dongle Model VT1000 of Viettel Greg KH
2012-01-10 21:48 ` [32/42] usb: option: add ZD Incorporated HSPA modem Greg KH
2012-01-10 21:48 ` [33/42] usb: ch9: fix up MaxStreams helper Greg KH
2012-01-10 21:48 ` [34/42] OHCI: final fix for NVIDIA problems (I hope) Greg KH
2012-01-10 21:48 ` [35/42] igmp: Avoid zero delay when receiving odd mixture of IGMP queries Greg KH
2012-01-10 21:48 ` [36/42] asix: fix infinite loop in rx_fixup() Greg KH
2012-01-10 21:48 ` [37/42] bonding: fix error handling if slave is busy (v2) Greg KH
2012-01-10 21:48 ` [38/42] PM / Sleep: Fix race between CPU hotplug and freezer Greg KH
2012-01-10 21:48 ` [39/42] SCSI: mpt2sas: Added missing mpt2sas_base_detach call from scsih_remove context Greg KH
2012-01-10 21:48 ` [40/42] usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race Greg KH
2012-01-10 21:48 ` [41/42] xfs: validate acl count Greg KH
2012-01-11  7:41   ` Christoph Hellwig
2012-01-11 15:00     ` Greg KH
2012-01-11 15:05       ` Ben Myers
2012-01-13 16:17         ` Ben Myers
2012-01-13 18:19           ` Greg KH
2012-01-13 19:42             ` Ben Myers
2012-01-13 19:52               ` Greg KH
2012-01-16 15:53                 ` Ben Myers
2012-01-16 16:48                   ` Greg KH
2012-01-24 16:33                 ` Christoph Hellwig
2012-01-24 17:43                   ` Ben Myers
2012-01-10 21:48 ` [42/42] xfs: fix acl count validation in xfs_acl_from_disk() Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120110215021.586675377@clark.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=coelho@ti.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pontus.fuchs@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).