[PATCH] net: ath10k: fix memcpy size from untrusted input
Kalle Valo
kvalo at codeaurora.org
Tue Jun 23 03:44:08 EDT 2020
Zekun Shen <bruceshenzk at gmail.com> wrote:
> A compromized ath10k peripheral is able to control the size argument
> of memcpy in ath10k_pci_hif_exchange_bmi_msg.
>
> The min result from previous line is not used as the size argument
> for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
> input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
> which is set inside _ath10k_ce_completed_recv_next_nolock with the line
>
> nbytes = __le16_to_cpu(sdesc.nbytes);
>
> sdesc is a stream dma region which device can write to.
>
> Signed-off-by: Zekun Shen <bruceshenzk at gmail.com>
> Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
aed95297250f ath10k: pci: fix memcpy size of bmi response
--
https://patchwork.kernel.org/patch/11607461/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
More information about the ath10k
mailing list