* [PATCH 1/2] wl12xx: Validate FEM index from ini file and FW
2011-10-18 7:23 [PATCH 0/2] wl12xx: Fix problems in nvs file parsing Pontus Fuchs
@ 2011-10-18 7:23 ` Pontus Fuchs
2011-10-18 7:23 ` [PATCH 2/2] wl12xx: Check buffer bound when processing nvs data Pontus Fuchs
2011-12-01 14:23 ` [PATCH 0/2] wl12xx: Fix problems in nvs file parsing Luciano Coelho
2 siblings, 0 replies; 4+ messages in thread
From: Pontus Fuchs @ 2011-10-18 7:23 UTC (permalink / raw)
To: linux-wireless; +Cc: Pontus Fuchs, stable
Check for out of bound FEM index to prevent reading beyond ini
memory end.
Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: stable@kernel.org
Reviewed-by: Luciano Coelho <coelho@ti.com>
---
drivers/net/wireless/wl12xx/cmd.c | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/drivers/net/wireless/wl12xx/cmd.c b/drivers/net/wireless/wl12xx/cmd.c
index 2413c43..38a21a3 100644
--- a/drivers/net/wireless/wl12xx/cmd.c
+++ b/drivers/net/wireless/wl12xx/cmd.c
@@ -121,6 +121,11 @@ int wl1271_cmd_general_parms(struct wl1271 *wl)
if (!wl->nvs)
return -ENODEV;
+ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
+ wl1271_warning("FEM index from INI out of bounds");
+ return -EINVAL;
+ }
+
gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL);
if (!gen_parms)
return -ENOMEM;
@@ -144,6 +149,12 @@ int wl1271_cmd_general_parms(struct wl1271 *wl)
gp->tx_bip_fem_manufacturer =
gen_parms->general_params.tx_bip_fem_manufacturer;
+ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
+ wl1271_warning("FEM index from FW out of bounds");
+ ret = -EINVAL;
+ goto out;
+ }
+
wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n",
answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer);
@@ -163,6 +174,11 @@ int wl128x_cmd_general_parms(struct wl1271 *wl)
if (!wl->nvs)
return -ENODEV;
+ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
+ wl1271_warning("FEM index from ini out of bounds");
+ return -EINVAL;
+ }
+
gen_parms = kzalloc(sizeof(*gen_parms), GFP_KERNEL);
if (!gen_parms)
return -ENOMEM;
@@ -187,6 +203,12 @@ int wl128x_cmd_general_parms(struct wl1271 *wl)
gp->tx_bip_fem_manufacturer =
gen_parms->general_params.tx_bip_fem_manufacturer;
+ if (gp->tx_bip_fem_manufacturer >= WL1271_INI_FEM_MODULE_COUNT) {
+ wl1271_warning("FEM index from FW out of bounds");
+ ret = -EINVAL;
+ goto out;
+ }
+
wl1271_debug(DEBUG_CMD, "FEM autodetect: %s, manufacturer: %d\n",
answer ? "auto" : "manual", gp->tx_bip_fem_manufacturer);
--
1.7.4.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] wl12xx: Check buffer bound when processing nvs data
2011-10-18 7:23 [PATCH 0/2] wl12xx: Fix problems in nvs file parsing Pontus Fuchs
2011-10-18 7:23 ` [PATCH 1/2] wl12xx: Validate FEM index from ini file and FW Pontus Fuchs
@ 2011-10-18 7:23 ` Pontus Fuchs
2011-12-01 14:23 ` [PATCH 0/2] wl12xx: Fix problems in nvs file parsing Luciano Coelho
2 siblings, 0 replies; 4+ messages in thread
From: Pontus Fuchs @ 2011-10-18 7:23 UTC (permalink / raw)
To: linux-wireless; +Cc: Pontus Fuchs, stable
An nvs with malformed contents could cause the processing of the
calibration data to read beyond the end of the buffer. Prevent this
from happening by adding bound checking.
Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: stable@kernel.org
Reviewed-by: Luciano Coelho <coelho@ti.com>
---
drivers/net/wireless/wl12xx/boot.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/drivers/net/wireless/wl12xx/boot.c b/drivers/net/wireless/wl12xx/boot.c
index 4ce634b..c9c8b69 100644
--- a/drivers/net/wireless/wl12xx/boot.c
+++ b/drivers/net/wireless/wl12xx/boot.c
@@ -347,6 +347,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
nvs_ptr += 3;
for (i = 0; i < burst_len; i++) {
+ if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len)
+ goto out_badnvs;
+
val = (nvs_ptr[0] | (nvs_ptr[1] << 8)
| (nvs_ptr[2] << 16) | (nvs_ptr[3] << 24));
@@ -358,6 +361,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
nvs_ptr += 4;
dest_addr += 4;
}
+
+ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
+ goto out_badnvs;
}
/*
@@ -369,6 +375,10 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
*/
nvs_ptr = (u8 *)wl->nvs +
ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4);
+
+ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
+ goto out_badnvs;
+
nvs_len -= nvs_ptr - (u8 *)wl->nvs;
/* Now we must set the partition correctly */
@@ -384,6 +394,10 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
kfree(nvs_aligned);
return 0;
+
+out_badnvs:
+ wl1271_error("nvs data is malformed");
+ return -EILSEQ;
}
static void wl1271_boot_enable_interrupts(struct wl1271 *wl)
--
1.7.4.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] wl12xx: Fix problems in nvs file parsing
2011-10-18 7:23 [PATCH 0/2] wl12xx: Fix problems in nvs file parsing Pontus Fuchs
2011-10-18 7:23 ` [PATCH 1/2] wl12xx: Validate FEM index from ini file and FW Pontus Fuchs
2011-10-18 7:23 ` [PATCH 2/2] wl12xx: Check buffer bound when processing nvs data Pontus Fuchs
@ 2011-12-01 14:23 ` Luciano Coelho
2 siblings, 0 replies; 4+ messages in thread
From: Luciano Coelho @ 2011-12-01 14:23 UTC (permalink / raw)
To: Pontus Fuchs; +Cc: linux-wireless
On Tue, 2011-10-18 at 09:23 +0200, Pontus Fuchs wrote:
> A crafted nvs file could trick the driver into reading and writing
> beyond end of buffers.
>
> Pontus Fuchs (2):
> wl12xx: Validate FEM index from ini file and FW
> wl12xx: Check buffer bound when processing nvs data
>
> drivers/net/wireless/wl12xx/boot.c | 14 ++++++++++++++
> drivers/net/wireless/wl12xx/cmd.c | 22 ++++++++++++++++++++++
> 2 files changed, 36 insertions(+), 0 deletions(-)
Applied both, tack!
--
Cheers,
Luca.
^ permalink raw reply [flat|nested] 4+ messages in thread