Zekun Shen <bruceshenzk@xxxxxxxxx> wrote: > A compromized ath10k peripheral is able to control the size argument > of memcpy in ath10k_pci_hif_exchange_bmi_msg. > > The min result from previous line is not used as the size argument > for memcpy. Instead, xfer.resp_len comes from untrusted stream dma > input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data, > which is set inside _ath10k_ce_completed_recv_next_nolock with the line > > nbytes = __le16_to_cpu(sdesc.nbytes); > > sdesc is a stream dma region which device can write to. > > Signed-off-by: Zekun Shen <bruceshenzk@xxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. aed95297250f ath10k: pci: fix memcpy size of bmi response -- https://patchwork.kernel.org/patch/11607461/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
