| Message ID | 1573622132-16181-1-git-send-email-gbhat@marvell.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [1/2] mwifiex: fix requesting zero memory for firmware dump | expand |
Ganapathi Bhat <gbhat@marvell.com> writes: > From: Sharvari Harisangam <sharvari@marvell.com> > > mwifiex_pcie_fw_dump would read firmware scratch registers, to > get the size of the dump. It does a vmalloc of memory_size + 1, > read above, to save the dump. It is possible that the value read > by memory_size scratch register be invalid, i.e 0xffffffff. This > would pass an invalid size(0) to vmalloc. To fix this check for > invalid scratch register read. > > Signed-off-by: Sharvari Harisangam <sharvari@marvell.com> > Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> > --- > drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c > index fc1706d..483b521 100644 > --- a/drivers/net/wireless/marvell/mwifiex/pcie.c > +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c > @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter) > break; > } > > + if (memory_size == 0xffffffff) { > + mwifiex_dbg(adapter, ERROR, > + "Invalid dump size: 0x%x, for %s\n", > + memory_size, entry->mem_name); > + return; > + } > + > mwifiex_dbg(adapter, DUMP, > "%s_SIZE=0x%x\n", entry->mem_name, memory_size); > entry->mem_ptr = vmalloc(memory_size + 1); So 0xfffffffe would be a valid length for vmalloc()? I doubt that :) A proper fix would be to add a reasonable maximum for memory_size and return if it's anything bigger than the limit. Never trust the firmware.
diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c index fc1706d..483b521 100644 --- a/drivers/net/wireless/marvell/mwifiex/pcie.c +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter) break; } + if (memory_size == 0xffffffff) { + mwifiex_dbg(adapter, ERROR, + "Invalid dump size: 0x%x, for %s\n", + memory_size, entry->mem_name); + return; + } + mwifiex_dbg(adapter, DUMP, "%s_SIZE=0x%x\n", entry->mem_name, memory_size); entry->mem_ptr = vmalloc(memory_size + 1);