| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250505223922.2682012-408-sashal@kernel.org>
Date: Mon, 5 May 2025 18:38:04 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Cc: Ping-Ke Shih <pkshih@...ltek.com>,
Sasha Levin <sashal@...nel.org>,
linux-wireless@...r.kernel.org
Subject: [PATCH AUTOSEL 6.12 408/486] wifi: rtw89: fw: validate multi-firmware header before getting its size
From: Ping-Ke Shih <pkshih@...ltek.com>
[ Upstream commit 2b8bdc5237014cc61784b3676cbaca5325959f3d ]
To access firmware elements appended after multi-firmware, add its size
as offset to get start address of firmware elements.
+-----+-------+------+---------+--------------+ --
| sig | fw_nr | rsvd | version | reserved | \
+---------------------------------------------+ |
fw 0 | cv | type | mp | rsvd | shift | size | rsvd | |
+---------------------------------------------+ |
fw 1 | cv | type | mp | rsvd | shift | size | rsvd | |
+---------------------------------------------+ |
fw N-1 | ... | |
+=============================================+ | mfw size
| fw 0 content | |
+=============================================+ |
| fw 1 content | |
+=============================================+ |
| ... | |
+=============================================+ |
| fw N -1 content | |
+=============================================+ --/
| fw element TLV X |
+=============================================+
| fw element TLV Y |
+=============================================+
| fw element TLV Z |
+=============================================+
To avoid Coverity warning when getting mfw size, validate it header ahead.
Addresses-Coverity-ID: 1544385 ("Untrusted array index read")
Signed-off-by: Ping-Ke Shih <pkshih@...ltek.com>
Link: https://patch.msgid.link/20250203072911.47313-5-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/net/wireless/realtek/rtw89/fw.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index 9346fe082040c..520dc0bc01956 100644
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -563,12 +563,17 @@ static u32 rtw89_mfw_get_size(struct rtw89_dev *rtwdev)
(const struct rtw89_mfw_hdr *)firmware->data;
const struct rtw89_mfw_info *mfw_info;
u32 size;
+ int ret;
if (mfw_hdr->sig != RTW89_MFW_SIG) {
rtw89_warn(rtwdev, "not mfw format\n");
return 0;
}
+ ret = rtw89_mfw_validate_hdr(rtwdev, firmware, mfw_hdr);
+ if (ret)
+ return ret;
+
mfw_info = &mfw_hdr->info[mfw_hdr->fw_nr - 1];
size = le32_to_cpu(mfw_info->shift) + le32_to_cpu(mfw_info->size);
--
2.39.5
Powered by blists - more mailing lists