Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3318863ybc; Thu, 14 Nov 2019 07:21:00 -0800 (PST) X-Google-Smtp-Source: APXvYqytQTjlsC4YqkxBEss6tKVtGowTfYCwuli5YcE4MizCn406Fah1u/pf2ngDYP7QaD9tgoJ5 X-Received: by 2002:a17:907:204b:: with SMTP id pg11mr9010021ejb.119.1573744860344; Thu, 14 Nov 2019 07:21:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573744860; cv=none; d=google.com; s=arc-20160816; b=xcB1G6nbsA9hE4SGhIe2MdjPEWZShB8bfxVh65HyoIA17ISkgFSeTEBYLI5ozyU6TA iRAlKNLntTN/ItKKJMCLX1RKf6vSQcxlPR3YfLs3LBRETbTLde6WWkg9rTr2lTDWNbF/ fyI59r0jpWI0lL3waLBbxaiBeiw66rBNDvUiLuy36E5cX913Ey+e45MpJueWh9szTArW u3Ay1u505YODOpFbOfnKlZ6rWGN2iTXhHovV1vhlK6Y8wvpyk2zatp2J5l805y/bbTyN PhhHSQ7uHQryVf5X3tNnygYfkEvhvAHc9yDk0qJr+WD5QyaORLMCi3woWX44kgnAWW2S py7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:dmarc-filter :dkim-signature:dkim-signature; bh=0+dzNSxZxSNmvdz1xrZfxBqF7zYa/iYuq8FROyljN2A=; b=hf7Yo6OYHM/YNQgSjAgbB5C0sbkkQ5jnaP76ybTR0K9PyytaIBl44Zns0mkbE9nmfo FerhHx78Vnpj5WH0eNzXWC1MnMYtIDbRMGWliMKuWGM8F930CIkpClIhCGFvJ83R6jhv Kt5heOlWlT2H7ZCt1jBr5hZlrT1ROHTCrRSSD70QRKVDg9pbecZmA6VuZpXrO4G36mI6 EqCs6n1AUHxyzk5hH51edo2Qvg9HfQ6HCJtIgAYSOVr0X5alk3V/RC47A9XlNmIgiTnb 1m6s4FQhvocT2k8MKkWSxC+ZH17aWdz2Gx6cqV5aSzL2g4ilr23QmhvcJLGqPjEyWK2G XQqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=ovnhMp+D; dkim=pass header.i=@codeaurora.org header.s=default header.b=Q3R0wG9r; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g13si4347743eda.292.2019.11.14.07.20.33; Thu, 14 Nov 2019 07:21:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=ovnhMp+D; dkim=pass header.i=@codeaurora.org header.s=default header.b=Q3R0wG9r; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726251AbfKNPSR (ORCPT + 99 others); Thu, 14 Nov 2019 10:18:17 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:56350 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726318AbfKNPSQ (ORCPT ); Thu, 14 Nov 2019 10:18:16 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 256D160736; Thu, 14 Nov 2019 15:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1573744695; bh=PhV7oLv4l2SMi2vA2YKiYb+ka7PetcgtcZMZ/81Qzww=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=ovnhMp+DoPDGDkGPJ93+03tKcotKPHIVjGC9wi0XRGFUM4ou6JqW8p9wUT9+tzkU4 9Be61m2Se3XsX/8ii+iBg+gHpLbhiv9M/uwEyYDp/SCwqFfgrpqBDdI4sJ4BPjy7y4 w9ns59zl9yvOniinREdJlE6qNfKHdK02v9FejFXY= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,SPF_NONE autolearn=no autolearn_force=no version=3.4.0 Received: from tynnyri.adurom.net (tynnyri.adurom.net [51.15.11.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: kvalo@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 91C2160117; Thu, 14 Nov 2019 15:18:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1573744694; bh=PhV7oLv4l2SMi2vA2YKiYb+ka7PetcgtcZMZ/81Qzww=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=Q3R0wG9rYXu/DyvgstAvwiX9FPiE7VRHTIqoa2M6hlER3G9/3SJ1m9no/u+tj4s/H iXTm7dax2MR7h284pqp+5cCzFCGJFr+l5dfiywf+WioaNWXkQKzvxjBCFJI7zkXUB9 LB07NCiekYuPtOM9ufd5sHEplQId+HSqYB/KRJX4= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 91C2160117 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org From: Kalle Valo To: Ganapathi Bhat Cc: , Cathy Luo , Zhiyuan Yang , James Cao , Rakesh Parmar , Brian Norris , Sharvari Harisangam Subject: Re: [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump References: <1573622132-16181-1-git-send-email-gbhat@marvell.com> Date: Thu, 14 Nov 2019 17:18:10 +0200 In-Reply-To: <1573622132-16181-1-git-send-email-gbhat@marvell.com> (Ganapathi Bhat's message of "Wed, 13 Nov 2019 10:45:31 +0530") Message-ID: <87v9rmbi6l.fsf@tynnyri.adurom.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Ganapathi Bhat writes: > From: Sharvari Harisangam > > mwifiex_pcie_fw_dump would read firmware scratch registers, to > get the size of the dump. It does a vmalloc of memory_size + 1, > read above, to save the dump. It is possible that the value read > by memory_size scratch register be invalid, i.e 0xffffffff. This > would pass an invalid size(0) to vmalloc. To fix this check for > invalid scratch register read. > > Signed-off-by: Sharvari Harisangam > Signed-off-by: Ganapathi Bhat > --- > drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c > index fc1706d..483b521 100644 > --- a/drivers/net/wireless/marvell/mwifiex/pcie.c > +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c > @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter) > break; > } > > + if (memory_size == 0xffffffff) { > + mwifiex_dbg(adapter, ERROR, > + "Invalid dump size: 0x%x, for %s\n", > + memory_size, entry->mem_name); > + return; > + } > + > mwifiex_dbg(adapter, DUMP, > "%s_SIZE=0x%x\n", entry->mem_name, memory_size); > entry->mem_ptr = vmalloc(memory_size + 1); So 0xfffffffe would be a valid length for vmalloc()? I doubt that :) A proper fix would be to add a reasonable maximum for memory_size and return if it's anything bigger than the limit. Never trust the firmware. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches