Domů Procházet Nápověda
Přihlásit se
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Procházet zdrojové kódy

qcacmn: Fix OOB access issues in HTC and HIF

Possible OOB Access array 'endpoint' of size '9' while calling
'log_packet_info' in below APIs:
get_htc_send_packets_credit_based()
get_htc_send_packets()

INT_MAX may be used to access array 'hif_ext_group->os_irq' of
size 16 in function hif_ipci_irq_set_affinity_hint().

Fix is to add index range check before accessing those arrays.

Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572
CRs-Fixed: 3779968
Srikanth Marepalli před 1 rokem
rodič
908cf6b29c
revize
f2063f8aea
2 změnil soubory, kde provedl 8 přidání a 4 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 1 1
      hif/src/ipcie/if_ipci.c
  2. 7 3
      htc/htc_send.c

+ 1 - 1
hif/src/ipcie/if_ipci.c
Zobrazit soubor 

@@ -575,7 +575,7 @@ void hif_ipci_irq_set_affinity_hint(struct hif_exec_context *hif_ext_group,
 
 			}
 
 		}
 
 	}
 
-	for (i = 0; i < hif_ext_group->numirq; i++) {
 
+	for (i = 0; i < hif_ext_group->numirq && i < HIF_MAX_GRP_IRQ; i++) {
 
 		if (mask_set) {
 
 			ret = hif_affinity_mgr_set_qrg_irq_affinity((struct hif_softc *)hif_ext_group->hif,
 
 								    hif_ext_group->os_irq[i],

+ 7 - 3
htc/htc_send.c
Zobrazit soubor 

@@ -1,6 +1,6 @@
 
 /*
 
  * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
 
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
 
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 
  *
 
  * Permission to use, copy, modify, and/or distribute this software for
 
  * any purpose with or without fee is hereby granted, provided that the
 
@@ -1206,7 +1206,9 @@ static void get_htc_send_packets_credit_based(HTC_TARGET *target,
 
 							 HTC_PACKET_QUEUE_DEPTH(pQueue)));
 
 
 				pPacket = htc_get_pkt_at_head(tx_queue);
 
-				if (!pPacket)
 
+				if (!pPacket ||
 
+				    (pPacket->Endpoint >= ENDPOINT_MAX) ||
 
+				    (pPacket->Endpoint <= ENDPOINT_UNUSED))
 
 					break;
 
 				log_packet_info(target, pPacket);
 
 				break;
 
@@ -1370,7 +1372,9 @@ static void get_htc_send_packets(HTC_TARGET *target,
 
 				/* bus suspended, runtime resume issued */
 
 				QDF_ASSERT(HTC_PACKET_QUEUE_DEPTH(pQueue) == 0);
 
 				pPacket = htc_get_pkt_at_head(tx_queue);
 
-				if (!pPacket)
 
+				if (!pPacket ||
 
+				    (pPacket->Endpoint >= ENDPOINT_MAX) ||
 
+				    (pPacket->Endpoint <= ENDPOINT_UNUSED))
 
 					break;
 
 				log_packet_info(target, pPacket);
 
 				break;