diff options
| author | Rajeev Kumar <quic_rajekuma@quicinc.com> | 2019-05-08 16:34:37 +0530 |
|---|---|---|
| committer | Harrison Lingren <hlingren@google.com> | 2019-06-04 15:27:29 -0700 |
| commit | 1b906595f3c904bb03c3b092dc76aae965c7f96d (patch) | |
| tree | b7646e6fa80fc649ca8f73f1219fb356fa186e2e | |
| parent | b3668ca2041748a3d2e2f712a9e23141bf4a55f7 (diff) | |
icnss: Add check on msa regionandroid-9.0.0_r0.114
When icnss receive server arrive it send wlfw_msa_mem_info_send_sync_msg
QMI request to firmware and in response expect range of addresses and size
to be mapped. Add condition to check whether addresses in response falls
under valid range otherwise it asserts.
CRs-Fixed: 2448763
Bug: 129282574
Bug: 132193791
Signed-off-by: Naman Padhiar <npadhiar@codeaurora.org>
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
(cherry picked from commit a6229910e2161b45cebd45f6c2918ca9d9a7d73c)
Change-Id: I9a8542cb6c3b3cefe112d1f08a76dd2eadf68d2f
| -rw-r--r-- | drivers/soc/qcom/icnss.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/drivers/soc/qcom/icnss.c b/drivers/soc/qcom/icnss.c index ad9fc22c162f..85dd6e592505 100644 --- a/drivers/soc/qcom/icnss.c +++ b/drivers/soc/qcom/icnss.c @@ -1297,6 +1297,7 @@ static int wlfw_msa_mem_info_send_sync_msg(void) struct wlfw_msa_info_req_msg_v01 req; struct wlfw_msa_info_resp_msg_v01 resp; struct msg_desc req_desc, resp_desc; + uint64_t max_mapped_addr; if (!penv || !penv->wlfw_clnt) return -ENODEV; @@ -1343,9 +1344,23 @@ static int wlfw_msa_mem_info_send_sync_msg(void) goto out; } + max_mapped_addr = penv->msa_pa + penv->msa_mem_size; penv->stats.msa_info_resp++; penv->nr_mem_region = resp.mem_region_info_len; for (i = 0; i < resp.mem_region_info_len; i++) { + + if (resp.mem_region_info[i].size > penv->msa_mem_size || + resp.mem_region_info[i].region_addr > max_mapped_addr || + resp.mem_region_info[i].region_addr < penv->msa_pa || + resp.mem_region_info[i].size + + resp.mem_region_info[i].region_addr > max_mapped_addr) { + icnss_pr_dbg("Received out of range Addr: 0x%llx Size: 0x%x\n", + resp.mem_region_info[i].region_addr, + resp.mem_region_info[i].size); + ret = -EINVAL; + goto fail_unwind; + } + penv->mem_region[i].reg_addr = resp.mem_region_info[i].region_addr; penv->mem_region[i].size = @@ -1360,6 +1375,8 @@ static int wlfw_msa_mem_info_send_sync_msg(void) return 0; +fail_unwind: + memset(&penv->mem_region[0], 0, sizeof(penv->mem_region[0]) * i); out: penv->stats.msa_info_err++; ICNSS_QMI_ASSERT(); |