Is this a out-of-bounds issue?
Qianqiang Liu
qianqiang.liu at 163.com
Thu Sep 12 06:26:45 PDT 2024
Hi,
The code in drivers/net/wireless/mediatek/mt76/mt7925/mcu.c may have a
out-of-bounds issue:
638 for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
639 clc = (const struct mt7925_clc *)(clc_base + offset);
640
641 if (clc->idx > ARRAY_SIZE(phy->clc)) <-
642 break;
643
644 /* do not init buf again if chip reset triggered */
645 if (phy->clc[clc->idx])
646 continue;
647
648 phy->clc[clc->idx] = devm_kmemdup(mdev->dev, clc,
649 le32_to_cpu(clc->len),
650 GFP_KERNEL);
651
652 if (!phy->clc[clc->idx]) {
653 ret = -ENOMEM;
654 goto out;
655 }
656 }
Let's say the array size of "phy->clc" is 2, then the valid index is 0 and 1.
If "clc->idx" is 2, "clc->idx > ARRAY_SIZE(phy->clc)" must be false, the "break"
statement won't be executed, and "phy->clc[2]" may access illegal memory address.
So, should we modify the code like this?
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 748ea6adbc6b..0c2a2337c313 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -638,7 +638,7 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
clc = (const struct mt7925_clc *)(clc_base + offset);
- if (clc->idx > ARRAY_SIZE(phy->clc))
+ if (clc->idx >= ARRAY_SIZE(phy->clc))
break;
/* do not init buf again if chip reset triggered */
--
Best,
Qianqiang Li
More information about the Linux-mediatek
mailing list