Re: [PATCH] net: ath10k: fix memcpy size from untrusted input

From: Kalle Valo
Date: Tue Jun 23 2020 - 03:44:16 EST

Next message: Anand Moon: "[PATCH] Revert "usb: dwc3: exynos: Add support for Exynos5422 suspend clk""
Previous message: Jisheng Zhang: "[PATCH v2 1/2] net: phy: export phy_disable_interrupts()"
In reply to: Zekun Shen: "[PATCH] net: ath10k: fix memcpy size from untrusted input"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zekun Shen <bruceshenzk@xxxxxxxxx> wrote:

> A compromized ath10k peripheral is able to control the size argument
> of memcpy in ath10k_pci_hif_exchange_bmi_msg.
>
> The min result from previous line is not used as the size argument
> for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
> input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
> which is set inside _ath10k_ce_completed_recv_next_nolock with the line
>
> nbytes = __le16_to_cpu(sdesc.nbytes);
>
> sdesc is a stream dma region which device can write to.
>
> Signed-off-by: Zekun Shen <bruceshenzk@xxxxxxxxx>
> Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>

Patch applied to ath-next branch of ath.git, thanks.

aed95297250f ath10k: pci: fix memcpy size of bmi response

--
https://patchwork.kernel.org/patch/11607461/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Next message: Anand Moon: "[PATCH] Revert "usb: dwc3: exynos: Add support for Exynos5422 suspend clk""
Previous message: Jisheng Zhang: "[PATCH v2 1/2] net: phy: export phy_disable_interrupts()"
In reply to: Zekun Shen: "[PATCH] net: ath10k: fix memcpy size from untrusted input"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]