From: Zekun Shen Date: Tue, 16 Jun 2020 13:25:43 +0000 (-0400) Subject: ath10k: pci: fix memcpy size of bmi response X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=aed95297250f0cac4c4861eef4a91708970aa1dc;p=linux.git ath10k: pci: fix memcpy size of bmi response A compromized ath10k peripheral is able to control the size argument of memcpy in ath10k_pci_hif_exchange_bmi_msg. The min result from previous line is not used as the size argument for memcpy. Instead, xfer.resp_len comes from untrusted stream dma input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data, which is set inside _ath10k_ce_completed_recv_next_nolock with the line nbytes = __le16_to_cpu(sdesc.nbytes); sdesc is a stream dma region which device can write to. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200616132544.17478-1-bruceshenzk@gmail.com --- diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 1d941d53fdc9f..ad28d91565d1a 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -2184,7 +2184,7 @@ err_req: if (ret == 0 && resp_len) { *resp_len = min(*resp_len, xfer.resp_len); - memcpy(resp, tresp, xfer.resp_len); + memcpy(resp, tresp, *resp_len); } err_dma: kfree(treq);