| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 May 2024 08:27:23 +0200
From: Johan Hovold <johan@...nel.org>
To: Johan Hovold <johan+linaro@...nel.org>
Cc: Marcel Holtmann <marcel@...tmann.org>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
Doug Anderson <dianders@...omium.org>,
Janaki Ramaiah Thota <quic_janathot@...cinc.com>,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH v2 1/3] Bluetooth: qca: add missing firmware sanity checks
On Tue, Apr 30, 2024 at 07:07:39PM +0200, Johan Hovold wrote:
> Add the missing sanity checks when parsing the firmware files before
> downloading them to avoid accessing and corrupting memory beyond the
> vmalloced buffer.
>
> Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support")
> Cc: stable@...r.kernel.org # 4.10
> Signed-off-by: Johan Hovold <johan+linaro@...nel.org>
> ---
> drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------
> 1 file changed, 32 insertions(+), 6 deletions(-)
> static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size,
> @@ -532,7 +556,9 @@ static int qca_download_firmware(struct hci_dev *hdev,
> memcpy(data, fw->data, size);
> release_firmware(fw);
>
> - qca_tlv_check_data(hdev, config, data, soc_type);
> + ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
> + if (ret)
> + return ret;
Bah, I realised late last night that I had forgotten to fix this error
path before posting v2. This was supposed to say
goto out;
to make sure the firmware buffer is released in case we ever encounter
malformed firmware.
I'll send a follow-up patch.
Johan
Powered by blists - more mailing lists