[PATCH] net: ath10k: fix memcpy size from untrusted input

Kalle Valo kvalo at codeaurora.org
Tue Jun 23 03:44:08 EDT 2020

Zekun Shen <bruceshenzk at gmail.com> wrote:

> A compromized ath10k peripheral is able to control the size argument
> of memcpy in ath10k_pci_hif_exchange_bmi_msg.
> The min result from previous line is not used as the size argument
> for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
> input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
> which is set inside _ath10k_ce_completed_recv_next_nolock with the line
> nbytes = __le16_to_cpu(sdesc.nbytes);
> sdesc is a stream dma region which device can write to.
> Signed-off-by: Zekun Shen <bruceshenzk at gmail.com>
> Signed-off-by: Kalle Valo <kvalo at codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

aed95297250f ath10k: pci: fix memcpy size of bmi response



More information about the ath10k mailing list