| Message ID | 20230830020716.5420-1-quic_bqiang@quicinc.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | b302dce3d9edea5b93d1902a541684a967f3c63c |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() | expand |
On 8/29/2023 7:07 PM, Baochen Qiang wrote: > reg_cap.phy_id is extracted from WMI event and could be an unexpected value > in case some errors happen. As a result out-of-bound write may occur to > soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. > > This is found during code review. > > Compile tested only. > > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> > --- > drivers/net/wireless/ath/ath12k/wmi.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c > index ef0f3cf35cfd..a8a7fa9f71cf 100644 > --- a/drivers/net/wireless/ath/ath12k/wmi.c > +++ b/drivers/net/wireless/ath/ath12k/wmi.c > @@ -3876,6 +3876,10 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc, > ath12k_warn(soc, "failed to extract reg cap %d\n", i); > return ret; > } > + if (reg_cap.phy_id >= MAX_RADIOS) { > + ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id); > + return -EINVAL; > + } > soc->hal_reg_cap[reg_cap.phy_id] = reg_cap; > } > return 0; > > base-commit: a62b0aeb556839fb6abb9835874443b08fe95598
Baochen Qiang <quic_bqiang@quicinc.com> wrote: > reg_cap.phy_id is extracted from WMI event and could be an unexpected value > in case some errors happen. As a result out-of-bound write may occur to > soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. > > This is found during code review. > > Compile tested only. > > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> > Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-next branch of ath.git, thanks. b302dce3d9ed wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index ef0f3cf35cfd..a8a7fa9f71cf 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -3876,6 +3876,10 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc, ath12k_warn(soc, "failed to extract reg cap %d\n", i); return ret; } + if (reg_cap.phy_id >= MAX_RADIOS) { + ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id); + return -EINVAL; + } soc->hal_reg_cap[reg_cap.phy_id] = reg_cap; } return 0;
reg_cap.phy_id is extracted from WMI event and could be an unexpected value in case some errors happen. As a result out-of-bound write may occur to soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. This is found during code review. Compile tested only. Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> --- drivers/net/wireless/ath/ath12k/wmi.c | 4 ++++ 1 file changed, 4 insertions(+) base-commit: a62b0aeb556839fb6abb9835874443b08fe95598