From patchwork Wed Apr  5 11:58:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maya Erez <qca_merez@qca.qualcomm.com>
X-Patchwork-Id: 9663835
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0063C60353 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  5 Apr 2017 12:00:17 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4ADC27D0C
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  5 Apr 2017 12:00:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D95D2284F9; Wed,  5 Apr 2017 12:00:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7352627D0C
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  5 Apr 2017 12:00:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933036AbdDEL76 (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 5 Apr 2017 07:59:58 -0400
Received: from wolverine02.qualcomm.com ([199.106.114.251]:5508 "EHLO
	wolverine02.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933029AbdDEL6e (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 5 Apr 2017 07:58:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=qca.qualcomm.com; i=@qca.qualcomm.com; q=dns/txt;
	s=qcdkim; t=1491393514; x=1522929514;
	h=cc:from:to:subject:date:message-id:in-reply-to: references;
	bh=Tnk3YqkR3OOJWP0xHQOPXwtkndvgRvO6XA56OLrszFU=;
	b=zhvP9M1Fh9RoYVOa/bLsMbmkJuVuMRhNhDIIfMQd/D+hZqGiYlhXSeRx
	MKlL/Wyurl0Drm5dkKMh+JkEzQM+YcdGo9lzNXEZbkd3MlhX4yDO7YRoR
	lKLNaS8112d9nfOTUaXOZOx6koZZqWS0dI2E6qIZzVo3/PUCqgVZgwyaF 8=;
X-IronPort-AV: E=Sophos;i="5.36,278,1486454400"; d="scan'208";a="371582769"
Received: from unknown (HELO ironmsg02-L.qualcomm.com) ([10.53.140.109])
	by wolverine02.qualcomm.com with ESMTP; 05 Apr 2017 04:58:33 -0700
Cc: Dedy Lansky <qca_dlansky@qualcomm.com>,
	linux-wireless@vger.kernel.org, wil6210@qca.qualcomm.com,
	Maya Erez <qca_merez@qca.qualcomm.com>
X-IronPort-AV: E=McAfee;i="5800,7501,8488"; a="899448750"
X-MGA-submission: =?us-ascii?q?MDFSPjWcvIZ1FJd7zGcs/KxGPy1j3o73Buq4bo?=
	=?us-ascii?q?Pab34/X5c379S86Ne9jTz0g9Wwui4+Y388atLTQibrpg+a13MieYShvp?=
	=?us-ascii?q?Oea0tn1mUn2PU2KFG9x23EBYxBBQ16/MoQkezM3Gy0DZ06pIIedmNz2o?=
	=?us-ascii?q?/0?=
Received: from lx-merez1.mea.qualcomm.com ([10.18.173.103])
	by ironmsg02-L.qualcomm.com with ESMTP; 05 Apr 2017 04:58:32 -0700
From: Maya Erez <qca_merez@qca.qualcomm.com>
To: Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 08/11] wil6210: fix memory access violation in
	wil_memcpy_from/toio_32
Date: Wed,  5 Apr 2017 14:58:11 +0300
Message-Id: <1491393494-11816-9-git-send-email-qca_merez@qca.qualcomm.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1491393494-11816-1-git-send-email-qca_merez@qca.qualcomm.com>
References: <1491393494-11816-1-git-send-email-qca_merez@qca.qualcomm.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Dedy Lansky <qca_dlansky@qca.qualcomm.com>

In case count is not multiple of 4, there is a read access in
wil_memcpy_toio_32() from outside src buffer boundary.
In wil_memcpy_fromio_32(), in case count is not multiple of 4, there is
a write access to outside dst io memory boundary.

Fix these issues with proper handling of the last 1 to 4 copied bytes.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
---
 drivers/net/wireless/ath/wil6210/main.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 9aa81ce..439d27c 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -130,9 +130,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src,
 	u32 *d = dst;
 	const volatile u32 __iomem *s = src;
 
-	/* size_t is unsigned, if (count%4 != 0) it will wrap */
-	for (count += 4; count > 4; count -= 4)
+	for (; count >= 4; count -= 4)
 		*d++ = __raw_readl(s++);
+
+	if (unlikely(count)) {
+		/* count can be 1..3 */
+		u32 tmp = __raw_readl(s);
+
+		memcpy(d, &tmp, count);
+	}
 }
 
 void wil_memcpy_fromio_halp_vote(struct wil6210_priv *wil, void *dst,
@@ -149,8 +155,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
 	volatile u32 __iomem *d = dst;
 	const u32 *s = src;
 
-	for (count += 4; count > 4; count -= 4)
+	for (; count >= 4; count -= 4)
 		__raw_writel(*s++, d++);
+
+	if (unlikely(count)) {
+		/* count can be 1..3 */
+		u32 tmp = 0;
+
+		memcpy(&tmp, s, count);
+		__raw_writel(tmp, d);
+	}
 }
 
 void wil_memcpy_toio_halp_vote(struct wil6210_priv *wil,