Commit aed95297 authored by Zekun Shen's avatar Zekun Shen Committed by Kalle Valo

ath10k: pci: fix memcpy size of bmi response

A compromized ath10k peripheral is able to control the size argument
of memcpy in ath10k_pci_hif_exchange_bmi_msg.

The min result from previous line is not used as the size argument
for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
which is set inside _ath10k_ce_completed_recv_next_nolock with the line

nbytes = __le16_to_cpu(sdesc.nbytes);

sdesc is a stream dma region which device can write to.
Signed-off-by: default avatarZekun Shen <bruceshenzk@gmail.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200616132544.17478-1-bruceshenzk@gmail.com
parent 93a5b668
...@@ -2184,7 +2184,7 @@ int ath10k_pci_hif_exchange_bmi_msg(struct ath10k *ar, ...@@ -2184,7 +2184,7 @@ int ath10k_pci_hif_exchange_bmi_msg(struct ath10k *ar,
if (ret == 0 && resp_len) { if (ret == 0 && resp_len) {
*resp_len = min(*resp_len, xfer.resp_len); *resp_len = min(*resp_len, xfer.resp_len);
memcpy(resp, tresp, xfer.resp_len); memcpy(resp, tresp, *resp_len);
} }
err_dma: err_dma:
kfree(treq); kfree(treq);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment