From 1c16771a7b6fd7a56e6c7b3548f08e49778bb7c3 Mon Sep 17 00:00:00 2001 From: Naman Padhiar Date: Wed, 8 May 2019 16:34:37 +0530 Subject: [PATCH] icnss: Add check on msa region When icnss receive server arrive it send wlfw_msa_mem_info_send_sync_msg QMI request to firmware and in response expect range of addresses and size to be mapped. Add condition to check whether addresses in response falls under valid range otherwise it asserts. Change-Id: I9a8542cb6c3b3cefe112d1f08a76dd2eadf68d2f Signed-off-by: Naman Padhiar --- drivers/soc/qcom/icnss.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/soc/qcom/icnss.c b/drivers/soc/qcom/icnss.c index 454a897c19ab..2d736c7617cd 100644 --- a/drivers/soc/qcom/icnss.c +++ b/drivers/soc/qcom/icnss.c @@ -1240,6 +1240,7 @@ static int wlfw_msa_mem_info_send_sync_msg(void) struct wlfw_msa_info_req_msg_v01 req; struct wlfw_msa_info_resp_msg_v01 resp; struct msg_desc req_desc, resp_desc; + uint64_t max_mapped_addr; if (!penv || !penv->wlfw_clnt) return -ENODEV; @@ -1286,9 +1287,23 @@ static int wlfw_msa_mem_info_send_sync_msg(void) goto out; } + max_mapped_addr = penv->msa_pa + penv->msa_mem_size; penv->stats.msa_info_resp++; penv->nr_mem_region = resp.mem_region_info_len; for (i = 0; i < resp.mem_region_info_len; i++) { + + if (resp.mem_region_info[i].size > penv->msa_mem_size || + resp.mem_region_info[i].region_addr > max_mapped_addr || + resp.mem_region_info[i].region_addr < penv->msa_pa || + resp.mem_region_info[i].size + + resp.mem_region_info[i].region_addr > max_mapped_addr) { + icnss_pr_dbg("Received out of range Addr: 0x%llx Size: 0x%x\n", + resp.mem_region_info[i].region_addr, + resp.mem_region_info[i].size); + ret = -EINVAL; + goto fail_unwind; + } + penv->mem_region[i].reg_addr = resp.mem_region_info[i].region_addr; penv->mem_region[i].size = @@ -1303,6 +1318,8 @@ static int wlfw_msa_mem_info_send_sync_msg(void) return 0; +fail_unwind: + memset(&penv->mem_region[0], 0, sizeof(penv->mem_region[0]) * i); out: penv->stats.msa_info_err++; ICNSS_QMI_ASSERT();