Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp285398lqm; Tue, 30 Apr 2024 23:27:31 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXkxmtp6Hvjaj/rDeZvkKMRiCOrms/QDPkhsr17Q5PsgDgCtI9TgwYgKJYae0YCSNA40bkc5C0LXJLUnC9eYvOXeIx+XZXNaon+8kc9Yw== X-Google-Smtp-Source: AGHT+IHMnZcT4Kod2GKMN0WmEaSvwea6O23IDTKOQhGKKjMtBY+Ug2djlWDbbEIgQaBkDWalpaVI X-Received: by 2002:ac2:5597:0:b0:51d:9c42:ca9f with SMTP id v23-20020ac25597000000b0051d9c42ca9fmr875584lfg.9.1714544851485; Tue, 30 Apr 2024 23:27:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714544851; cv=pass; d=google.com; s=arc-20160816; b=Q9uvTJRjUmI2ohiBLHI7EjXusMbiYPUEnnQIo8dQVIFRRcvBQp1LzaPS8mvjTo8p9H /ePfdFKaNQXpSTd94sZoi1d8xtpAMTzs93vHOoeGTVgmHAynKCqtLTpodbvvMSRsuNbq rU6fvI6kKGXoRGkuYWSbSwO1CQCWJdyDdUyHpovaQs+pC/qhNWAsKb2R3/qpJ7MjdQJ7 Qrk9h+ngcpDcQj0qOz6fR7LMOc/9l6NJqHc0VJoQiIWmzUNAHs775TqjtVZAXmXUGJQ3 cnJMiTQZ4f9/zyrXql35ITfp75rcvTEjuQn+gZTOhDQUbDWmYRLC7wAvS6O+tBD0tRmE x6yg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=I09aDgbsuBP6cRkcoz+GnyrODO6D+pDlo1BHWR3ICBY=; fh=XT90P45nZfClqgvWu78VZTYkqegy1J6dVRsu3ZyBTUM=; b=ztkAbjxaTMeI+I1VcHtAtolF3WO6dowI/l+Ajkm1wc7DHskWv/wAxiqhf6iohT6KV/ xogAAhGsCDN/YaZ4NqUQbzql7alJpWKN/WdKG+JTbbAyZtYqfKPL1+9/SnWuCuGYLw/B w58AUcGcCX1YKUwQC8gYLscl4n8JtkIWD8C6DyNshTYzcxTExZij2QByIlRkILqAwnrV lCjNh0/Fhe4J++WiMB0cf70C7RypDcJ7oQ/VCU6FrGiIsuhsI4lCadVHGbDvvNedQKsf EywwJXBGdDzOCNy+98iko7lLEcmqWHieuXy8pwZPVG/gNbOOb1FFfTdyUfWrxB7pmOCV 1JXw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=h4ideLHM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4212-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4212-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id h20-20020a170906399400b00a58743e8e72si10501275eje.521.2024.04.30.23.27.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 23:27:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4212-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=h4ideLHM; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4212-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4212-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 3037E1F22F0D for ; Wed, 1 May 2024 06:27:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 89AFC4D11D; Wed, 1 May 2024 06:27:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="h4ideLHM" X-Original-To: linux-bluetooth@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5BE44B5AE; Wed, 1 May 2024 06:27:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714544843; cv=none; b=J9sHb67ZOSPwamM2cEk1lqGaKgybCUV/7r3cA1rS812GuAQ/lL/DqeFlfkGKrYl4CaUh5OkKq/9In9P/h0Octw+8aCeCZ5saAWxGY0wEZOQstweMVu+b8Vh+fbSMSdEifFUlP7pvJIkMyrMzldZVGc5jOS4/wgllbeFN8J6BdJs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714544843; c=relaxed/simple; bh=37X+IwcyQX/u8S3wrYqyvxciCf3LtStmlkt5TMXRXnw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ay/xKSEHtLqlQz/Yhasb3zPWm8wvhfPSk7XAoCtkz1HPsIjc3XEGhKu1Gw13IwK2FaL3/A3t59bEt/UP6xsbjTE1h7IsWnhg+TKWuq2/ZP1eNeuyRCY3M5MXOM+rxnywn1ux+ea4QJCwWIErJDdR1K4i9Xl8FTjtjqMpFcUP9n0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=h4ideLHM; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 484BBC113CC; Wed, 1 May 2024 06:27:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714544842; bh=37X+IwcyQX/u8S3wrYqyvxciCf3LtStmlkt5TMXRXnw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=h4ideLHMNquVIYFopTxmXvD0XQNjYagqHqXTbY9V9vpkmdXM8r26MBHV9ckNoIRm5 CNxAxu0ro1vP8kbebW6MBeaTvrzzQJ1kYoUnOMjfrlQbyESdcaYyN/h6V6DbLYSMGW YTuBJpoeU90f0EmMwnpwU39W7yHFXATsc2bQptUq7Oaub7qcgnfHlDT5tKxVA1dI8R /9C3M45sqGvbIPeDHSzXg+UK39zl7vc992IfLqlIP3mZa8Xp+2WPIWJjV+bHNI04Ru HSPik00dcKinfisM9SCoyOw+oNS8BYbRABpl8TsY80isdCMRN65oWPMct/+AQs4w6c ImjXgqxPubeLA== Received: from johan by xi.lan with local (Exim 4.97.1) (envelope-from ) id 1s23R5-000000008DI-3tyr; Wed, 01 May 2024 08:27:24 +0200 Date: Wed, 1 May 2024 08:27:23 +0200 From: Johan Hovold To: Johan Hovold Cc: Marcel Holtmann , Luiz Augusto von Dentz , Doug Anderson , Janaki Ramaiah Thota , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2 1/3] Bluetooth: qca: add missing firmware sanity checks Message-ID: References: <20240430170741.15742-1-johan+linaro@kernel.org> <20240430170741.15742-2-johan+linaro@kernel.org> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240430170741.15742-2-johan+linaro@kernel.org> On Tue, Apr 30, 2024 at 07:07:39PM +0200, Johan Hovold wrote: > Add the missing sanity checks when parsing the firmware files before > downloading them to avoid accessing and corrupting memory beyond the > vmalloced buffer. > > Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support") > Cc: stable@vger.kernel.org # 4.10 > Signed-off-by: Johan Hovold > --- > drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------ > 1 file changed, 32 insertions(+), 6 deletions(-) > static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, > @@ -532,7 +556,9 @@ static int qca_download_firmware(struct hci_dev *hdev, > memcpy(data, fw->data, size); > release_firmware(fw); > > - qca_tlv_check_data(hdev, config, data, soc_type); > + ret = qca_tlv_check_data(hdev, config, data, size, soc_type); > + if (ret) > + return ret; Bah, I realised late last night that I had forgotten to fix this error path before posting v2. This was supposed to say goto out; to make sure the firmware buffer is released in case we ever encounter malformed firmware. I'll send a follow-up patch. Johan