* Is this a out-of-bounds issue?
@ 2024-09-12 13:26 Qianqiang Liu
0 siblings, 0 replies; 3+ messages in thread
From: Qianqiang Liu @ 2024-09-12 13:26 UTC (permalink / raw)
To: mingyen.hsieh; +Cc: nbd, lorenzo, deren.wu, linux-mediatek
Hi,
The code in drivers/net/wireless/mediatek/mt76/mt7925/mcu.c may have a
out-of-bounds issue:
638 for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
639 clc = (const struct mt7925_clc *)(clc_base + offset);
640
641 if (clc->idx > ARRAY_SIZE(phy->clc)) <-
642 break;
643
644 /* do not init buf again if chip reset triggered */
645 if (phy->clc[clc->idx])
646 continue;
647
648 phy->clc[clc->idx] = devm_kmemdup(mdev->dev, clc,
649 le32_to_cpu(clc->len),
650 GFP_KERNEL);
651
652 if (!phy->clc[clc->idx]) {
653 ret = -ENOMEM;
654 goto out;
655 }
656 }
Let's say the array size of "phy->clc" is 2, then the valid index is 0 and 1.
If "clc->idx" is 2, "clc->idx > ARRAY_SIZE(phy->clc)" must be false, the "break"
statement won't be executed, and "phy->clc[2]" may access illegal memory address.
So, should we modify the code like this?
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 748ea6adbc6b..0c2a2337c313 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -638,7 +638,7 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
clc = (const struct mt7925_clc *)(clc_base + offset);
- if (clc->idx > ARRAY_SIZE(phy->clc))
+ if (clc->idx >= ARRAY_SIZE(phy->clc))
break;
/* do not init buf again if chip reset triggered */
--
Best,
Qianqiang Li
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: Is this a out-of-bounds issue?
[not found] <66e2ec22.050a0220.37047b.174cSMTPIN_ADDED_BROKEN@mx.google.com>
@ 2024-09-12 13:34 ` Lorenzo Bianconi
2024-09-12 14:20 ` Qianqiang Liu
0 siblings, 1 reply; 3+ messages in thread
From: Lorenzo Bianconi @ 2024-09-12 13:34 UTC (permalink / raw)
To: Qianqiang Liu; +Cc: mingyen.hsieh, nbd, deren.wu, linux-mediatek
[-- Attachment #1: Type: text/plain, Size: 2158 bytes --]
> Hi,
>
> The code in drivers/net/wireless/mediatek/mt76/mt7925/mcu.c may have a
> out-of-bounds issue:
>
> 638 for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
> 639 clc = (const struct mt7925_clc *)(clc_base + offset);
> 640
> 641 if (clc->idx > ARRAY_SIZE(phy->clc)) <-
> 642 break;
> 643
> 644 /* do not init buf again if chip reset triggered */
> 645 if (phy->clc[clc->idx])
> 646 continue;
> 647
> 648 phy->clc[clc->idx] = devm_kmemdup(mdev->dev, clc,
> 649 le32_to_cpu(clc->len),
> 650 GFP_KERNEL);
> 651
> 652 if (!phy->clc[clc->idx]) {
> 653 ret = -ENOMEM;
> 654 goto out;
> 655 }
> 656 }
>
> Let's say the array size of "phy->clc" is 2, then the valid index is 0 and 1.
> If "clc->idx" is 2, "clc->idx > ARRAY_SIZE(phy->clc)" must be false, the "break"
> statement won't be executed, and "phy->clc[2]" may access illegal memory address.
>
> So, should we modify the code like this?
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
> index 748ea6adbc6b..0c2a2337c313 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
> @@ -638,7 +638,7 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
> for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
> clc = (const struct mt7925_clc *)(clc_base + offset);
>
> - if (clc->idx > ARRAY_SIZE(phy->clc))
> + if (clc->idx >= ARRAY_SIZE(phy->clc))
> break;
>
> /* do not init buf again if chip reset triggered */
>
> --
> Best,
> Qianqiang Li
>
Hi,
I think this is already fixed here:
https://patchwork.kernel.org/project/linux-wireless/patch/84bf5dd2-2fe3-4410-a7af-ae841e41082a@stanley.mountain/
Regards,
Lornzo
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is this a out-of-bounds issue?
2024-09-12 13:34 ` Is this a out-of-bounds issue? Lorenzo Bianconi
@ 2024-09-12 14:20 ` Qianqiang Liu
0 siblings, 0 replies; 3+ messages in thread
From: Qianqiang Liu @ 2024-09-12 14:20 UTC (permalink / raw)
To: Lorenzo Bianconi; +Cc: mingyen.hsieh, nbd, deren.wu, linux-mediatek
> Hi,
>
> I think this is already fixed here:
> https://patchwork.kernel.org/project/linux-wireless/patch/84bf5dd2-2fe3-4410-a7af-ae841e41082a@stanley.mountain/
>
> Regards,
> Lornzo
Thanks!
--
Best,
Qianqiang Liu
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-12 14:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <66e2ec22.050a0220.37047b.174cSMTPIN_ADDED_BROKEN@mx.google.com>
2024-09-12 13:34 ` Is this a out-of-bounds issue? Lorenzo Bianconi
2024-09-12 14:20 ` Qianqiang Liu
2024-09-12 13:26 Qianqiang Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.