From: gregory.greenman@intel.com
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
Johannes Berg <johannes.berg@intel.com>,
Gregory Greenman <gregory.greenman@intel.com>
Subject: [PATCH wireless 10/12] wifi: iwlwifi: mvm: don't trust firmware n_channels
Date: Sun, 14 May 2023 12:15:53 +0300 [thread overview]
Message-ID: <20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid> (raw)
In-Reply-To: <20230514091555.168392-1-gregory.greenman@intel.com>
From: Johannes Berg <johannes.berg@intel.com>
If the firmware sends us a corrupted MCC response with
n_channels much larger than the command response can be,
we might copy far too much (uninitialized) memory and
even crash if the n_channels is large enough to make it
run out of the one page allocated for the FW response.
Fix that by checking the lengths. Doing a < comparison
would be sufficient, but the firmware should be doing
it correctly, so check more strictly.
Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
index 6d18a1fd649b..fdf60afb0f3f 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data;
n_channels = __le32_to_cpu(mcc_resp->n_channels);
+ if (iwl_rx_packet_payload_len(pkt) !=
+ struct_size(mcc_resp, channels, n_channels)) {
+ resp_cp = ERR_PTR(-EINVAL);
+ goto exit;
+ }
resp_len = sizeof(struct iwl_mcc_update_resp) +
n_channels * sizeof(__le32);
resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL);
@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data;
n_channels = __le32_to_cpu(mcc_resp_v3->n_channels);
+ if (iwl_rx_packet_payload_len(pkt) !=
+ struct_size(mcc_resp_v3, channels, n_channels)) {
+ resp_cp = ERR_PTR(-EINVAL);
+ goto exit;
+ }
resp_len = sizeof(struct iwl_mcc_update_resp) +
n_channels * sizeof(__le32);
resp_cp = kzalloc(resp_len, GFP_KERNEL);
--
2.38.1
next prev parent reply other threads:[~2023-05-14 9:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-14 9:15 [PATCH wireless 00/12] wifi: iwlwifi: fixes for v6.4 2023-05-14 gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 01/12] wifi: iwlwifi: mvm: always free dup_data gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 02/12] wifi: iwlwifi: mvm: don't double-init spinlock gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 03/12] wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 04/12] wifi: iwlwifi: mvm: fix number of concurrent link checks gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 05/12] wifi: iwlwifi: fw: fix DBGI dump gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 06/12] wifi: iwlwifi: mvm: fix access to fw_id_to_mac_id gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 07/12] wifi: iwlwifi: mvm: fix initialization of a return value gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 08/12] wifi: iwlwifi: fix OEM's name in the ppag approved list gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 09/12] wifi: iwlwifi: mvm: fix OEM's name in the tas " gregory.greenman
2023-05-14 9:15 ` gregory.greenman [this message]
2023-05-14 9:15 ` [PATCH wireless 11/12] wifi: iwlwifi: Don't use valid_links to iterate sta links gregory.greenman
2023-05-14 9:15 ` [PATCH wireless 12/12] wifi: iwlwifi: mvm: Add locking to the rate read flow gregory.greenman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid \
--to=gregory.greenman@intel.com \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.