Ganapathi Bhat <gbhat@xxxxxxxxxxx> writes:
> From: Sharvari Harisangam <sharvari@xxxxxxxxxxx>
>
> mwifiex_pcie_fw_dump would read firmware scratch registers, to
> get the size of the dump. It does a vmalloc of memory_size + 1,
> read above, to save the dump. It is possible that the value read
> by memory_size scratch register be invalid, i.e 0xffffffff. This
> would pass an invalid size(0) to vmalloc. To fix this check for
> invalid scratch register read.
>
> Signed-off-by: Sharvari Harisangam <sharvari@xxxxxxxxxxx>
> Signed-off-by: Ganapathi Bhat <gbhat@xxxxxxxxxxx>
> ---
> drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
> index fc1706d..483b521 100644
> --- a/drivers/net/wireless/marvell/mwifiex/pcie.c
> +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
> @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter)
> break;
> }
>
> + if (memory_size == 0xffffffff) {
> + mwifiex_dbg(adapter, ERROR,
> + "Invalid dump size: 0x%x, for %s\n",
> + memory_size, entry->mem_name);
> + return;
> + }
> +
> mwifiex_dbg(adapter, DUMP,
> "%s_SIZE=0x%x\n", entry->mem_name, memory_size);
> entry->mem_ptr = vmalloc(memory_size + 1);
So 0xfffffffe would be a valid length for vmalloc()? I doubt that :) A
proper fix would be to add a reasonable maximum for memory_size and
return if it's anything bigger than the limit. Never trust the firmware.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
