From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Baochen Qiang <quic_bqiang@quicinc.com>,
Jeff Johnson <quic_jjohnson@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, ath12k@lists.infradead.org,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 10/30] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()
Date: Tue, 7 Nov 2023 07:08:25 -0500 [thread overview]
Message-ID: <20231107120922.3757126-10-sashal@kernel.org> (raw)
In-Reply-To: <20231107120922.3757126-1-sashal@kernel.org>
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit b302dce3d9edea5b93d1902a541684a967f3c63c ]
reg_cap.phy_id is extracted from WMI event and could be an unexpected value
in case some errors happen. As a result out-of-bound write may occur to
soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.
This is found during code review.
Compile tested only.
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230830020716.5420-1-quic_bqiang@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index eebc5a65ce3b4..416b22fa53ebf 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -3799,6 +3799,12 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc,
ath12k_warn(soc, "failed to extract reg cap %d\n", i);
return ret;
}
+
+ if (reg_cap.phy_id >= MAX_RADIOS) {
+ ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id);
+ return -EINVAL;
+ }
+
soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
}
return 0;
--
2.42.0
--
ath12k mailing list
ath12k@lists.infradead.org
https://lists.infradead.org/mailman/listinfo/ath12k
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Baochen Qiang <quic_bqiang@quicinc.com>,
Jeff Johnson <quic_jjohnson@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, ath12k@lists.infradead.org,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 10/30] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()
Date: Tue, 7 Nov 2023 07:08:25 -0500 [thread overview]
Message-ID: <20231107120922.3757126-10-sashal@kernel.org> (raw)
In-Reply-To: <20231107120922.3757126-1-sashal@kernel.org>
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit b302dce3d9edea5b93d1902a541684a967f3c63c ]
reg_cap.phy_id is extracted from WMI event and could be an unexpected value
in case some errors happen. As a result out-of-bound write may occur to
soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.
This is found during code review.
Compile tested only.
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230830020716.5420-1-quic_bqiang@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index eebc5a65ce3b4..416b22fa53ebf 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -3799,6 +3799,12 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc,
ath12k_warn(soc, "failed to extract reg cap %d\n", i);
return ret;
}
+
+ if (reg_cap.phy_id >= MAX_RADIOS) {
+ ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id);
+ return -EINVAL;
+ }
+
soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
}
return 0;
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:09 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:08 [PATCH AUTOSEL 6.5 01/30] wifi: plfxlc: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 02/30] wifi: ath12k: Ignore fragments from uninitialized peer in dp Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 03/30] wifi: mac80211_hwsim: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 04/30] wifi: mac80211: don't return unset power in ieee80211_get_tx_power() Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 05/30] atl1c: Work around the DMA RX overflow issue Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 06/30] bpf: Detect IP == ksym.end as part of BPF program Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 07/30] wifi: ath9k: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 08/30] wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 09/30] wifi: ath10k: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` Sasha Levin [this message]
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 10/30] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 11/30] ACPI: APEI: Fix AER info corruption when error status data has multiple sections Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 12/30] net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 13/30] wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 14/30] wifi: mt76: get rid of false alamrs of tx emission issues Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 15/30] net: annotate data-races around sk->sk_tx_queue_mapping Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 16/30] net: annotate data-races around sk->sk_dst_pending_confirm Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 17/30] wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 18/30] wifi: ath10k: Don't touch the CE interrupt registers after power up Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 19/30] net: sfp: add quirk for FS's 2.5G copper SFP Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 20/30] vsock: read from socket's error queue Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 21/30] bpf: Ensure proper register state printing for cond jumps Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 22/30] wifi: iwlwifi: mvm: fix size check for fw_link_id Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 23/30] Bluetooth: btusb: Add date->evt_skb is NULL check Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 24/30] Bluetooth: Fix double free in hci_conn_cleanup Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 25/30] ACPI: EC: Add quirk for HP 250 G7 Notebook PC Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 26/30] tsnep: Fix tsnep_request_irq() format-overflow warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 27/30] gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 28/30] platform/chrome: kunit: initialize lock for fake ec_dev Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 29/30] of: address: Fix address translation when address-size is greater than 2 Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 30/30] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107120922.3757126-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath12k@lists.infradead.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_bqiang@quicinc.com \
--cc=quic_jjohnson@quicinc.com \
--cc=quic_kvalo@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.