From: Ming Yen Hsieh <mingyen.hsieh@xxxxxxxxxxxx>
commit 9679ca7326e52282cc923c4d71d81c999cb6cd55 upstream.
Due to the lack of checks on the clc array, if the firmware supports
more clc configuration, it will cause illegal memory access.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@xxxxxxxxxxxx>
Link: https://patch.msgid.link/20240819015334.14580-1-mingyen.hsieh@xxxxxxxxxxxx
Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -613,6 +613,9 @@ static int mt7925_load_clc(struct mt792x
for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
clc = (const struct mt7925_clc *)(clc_base + offset);
+ if (clc->idx > ARRAY_SIZE(phy->clc))
+ break;
+
/* do not init buf again if chip reset triggered */
if (phy->clc[clc->idx])
continue;
Patches currently in stable-queue which might be from mingyen.hsieh@xxxxxxxxxxxx are
queue-6.10/wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch
queue-6.10/wifi-mt76-mt7921-fix-wrong-unii-4-freq-range-check-f.patch
