Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp177779imd; Wed, 31 Oct 2018 16:53:19 -0700 (PDT) X-Google-Smtp-Source: AJdET5d4ENPJ2nzBAQ2+QRbvLr3dV0fDZMtFp/LpVIbTRI0D7mkF6SR6z8WvYTfY5PfA5wqXoETb X-Received: by 2002:a63:da57:: with SMTP id l23-v6mr5086750pgj.179.1541029999809; Wed, 31 Oct 2018 16:53:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541029999; cv=none; d=google.com; s=arc-20160816; b=mIBvdgzCt8H4y6b/L2nd5hy6MHk7BLSNq2dPBHLjK0CxRNLjK5nQ1HEPXq28w5xC9P mENganDXAULGPF9+3M2wfReFdaKn7hEjazM8Nz0TtBA3Xlra5EUrpdk4wLA0mOSTzPP6 dtfXaTnRto8uDjtBMDnCHHNY3vQCl1V9rKThZ+KeYSDzA1qjKznAEpI1FwAKYkwYh3Bd vUgylMs8Yxa7/cdJR9VCw8tRPtWR8EdOnQZF8pStc2UKqdP63kyriY+hMmflmui/GspO AoYl5Kl0djKCxPmvsV/rhQnjwpGm6qfw0J2PSu88gc+w0hjIdp7sYFblgHkK4VQvKKI5 sB5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=VhUth4wuc31rkHiZo56Azh4LQCzD+a1iTroOGT/3aDI=; b=mDV7mcC/oj2r4bPT1p6G6PuSlnPDcZbIosu5FN6VEa0Rs9z5Q6LqkvtSX++L3yndy2 iZeAFFmSnI2TGQXVHi6o+j3+Ib6bxnDpYEOJe3DN8bblPiQg205DcTxbHf2EHPiugXo0 kjS9nmDSbklpLOTQ5Pos4lfhgLBdqw7MzWbt4HvqHJuraAN3ycEdp6iAEpD7ENGKnDCt tWPjkGIlu0LmVtx4osxNQf21VukwMh606gwBW6cEGyESz80fgQhhTZBzyV3DmjNKeV8Z xUPZU8Ed1qzXcKjdCga5+dgVb6VkRYy96jDhjVEjFeRjLt9jTW3SOm0vgyvaW1elYOqP zctw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=F2lHexk1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g63-v6si24063427pfc.187.2018.10.31.16.53.05; Wed, 31 Oct 2018 16:53:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=F2lHexk1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728263AbeKAIxH (ORCPT + 99 others); Thu, 1 Nov 2018 04:53:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:53124 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727683AbeKAIGT (ORCPT ); Thu, 1 Nov 2018 04:06:19 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6AB0A20843; Wed, 31 Oct 2018 23:06:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541027168; bh=UxzfIGUMoPAUg4bqFg44OEChrZ0+rcb80UnaLaNtRPY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F2lHexk13+D0/h0IIwMM2KHDCO8+279EmgoAu/4J4eBZPCll2PPs1JdzGhY9BMkYG vV2G2LvvHfynanimegIwpMS+aaol3xFqMS1wSvSiRarxepSiZZgLLWm52pznHyrwC+ 0PeqLjcCEgrBmKSJGyn3HG/9yMtrclq5V1r5Icwk= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Luca Coelho , Sasha Levin Subject: [PATCH AUTOSEL 4.19 029/146] iwlwifi: mvm: check for n_profiles validity in EWRD ACPI Date: Wed, 31 Oct 2018 19:03:44 -0400 Message-Id: <20181031230541.28822-29-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031230541.28822-1-sashal@kernel.org> References: <20181031230541.28822-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Luca Coelho [ Upstream commit 2e1976bb75263fbad918e82184b16a23bd721546 ] When reading the profiles from the EWRD table in ACPI, we loop over the data and set it into our internal table. We use the number of profiles specified in ACPI without checking its validity, so if the ACPI table is corrupted and the number is larger than our array size, we will try to make an out-of-bounds access. Fix this by making sure the value specified in the ACPI table is valid. Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table") Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin --- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c index 6bb1a99a197a..48a3611d6a31 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c @@ -704,8 +704,12 @@ static int iwl_mvm_sar_get_ewrd_table(struct iwl_mvm *mvm) enabled = !!(wifi_pkg->package.elements[1].integer.value); n_profiles = wifi_pkg->package.elements[2].integer.value; - /* in case of BIOS bug */ - if (n_profiles <= 0) { + /* + * Check the validity of n_profiles. The EWRD profiles start + * from index 1, so the maximum value allowed here is + * ACPI_SAR_PROFILES_NUM - 1. + */ + if (n_profiles <= 0 || n_profiles >= ACPI_SAR_PROFILE_NUM) { ret = -EINVAL; goto out_free; } -- 2.17.1