[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20200623074408.65E75C433CA@smtp.codeaurora.org>
Date: Tue, 23 Jun 2020 07:44:08 +0000 (UTC)
From: Kalle Valo <kvalo@...eaurora.org>
To: Zekun Shen <bruceshenzk@...il.com>
Cc: unlisted-recipients:; (no To-header on input)
Zekun Shen <bruceshenzk@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, ath10k@...ts.infradead.org,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: ath10k: fix memcpy size from untrusted input
Zekun Shen <bruceshenzk@...il.com> wrote:
> A compromized ath10k peripheral is able to control the size argument
> of memcpy in ath10k_pci_hif_exchange_bmi_msg.
>
> The min result from previous line is not used as the size argument
> for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
> input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
> which is set inside _ath10k_ce_completed_recv_next_nolock with the line
>
> nbytes = __le16_to_cpu(sdesc.nbytes);
>
> sdesc is a stream dma region which device can write to.
>
> Signed-off-by: Zekun Shen <bruceshenzk@...il.com>
> Signed-off-by: Kalle Valo <kvalo@...eaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
aed95297250f ath10k: pci: fix memcpy size of bmi response
--
https://patchwork.kernel.org/patch/11607461/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Powered by blists - more mailing lists