samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix OOB access issues in HTC and HIF

Browse Source 
Possible OOB Access array 'endpoint' of size '9' while calling
'log_packet_info' in below APIs:
get_htc_send_packets_credit_based()
get_htc_send_packets()

INT_MAX may be used to access array 'hif_ext_group->os_irq' of
size 16 in function hif_ipci_irq_set_affinity_hint().

Fix is to add index range check before accessing those arrays.

Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572
CRs-Fixed: 3779968
This commit is contained in:
Srikanth Marepalli
2024-03-13 22:04:36 +05:30
committed by Ravindra Konda
parent 908cf6b29c
commit f2063f8aea
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hif/src/ipcie/if_ipci.c
View File

@@ -575,7 +575,7 @@ void hif_ipci_irq_set_affinity_hint(struct hif_exec_context *hif_ext_group,
} }
} }
} }
for (i = 0; i < hif_ext_group->numirq; i++) { for (i = 0; i < hif_ext_group->numirq && i < HIF_MAX_GRP_IRQ; i++) {
if (mask_set) { if (mask_set) {
ret = hif_affinity_mgr_set_qrg_irq_affinity((struct hif_softc *)hif_ext_group->hif, ret = hif_affinity_mgr_set_qrg_irq_affinity((struct hif_softc *)hif_ext_group->hif,
hif_ext_group->os_irq[i], hif_ext_group->os_irq[i],

10
htc/htc_send.c
View File

@@ -1,6 +1,6 @@
/* /*
* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved. * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
* Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved. * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
* *
* Permission to use, copy, modify, and/or distribute this software for * Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the * any purpose with or without fee is hereby granted, provided that the
@@ -1206,7 +1206,9 @@ static void get_htc_send_packets_credit_based(HTC_TARGET *target,
HTC_PACKET_QUEUE_DEPTH(pQueue))); HTC_PACKET_QUEUE_DEPTH(pQueue)));
pPacket = htc_get_pkt_at_head(tx_queue); pPacket = htc_get_pkt_at_head(tx_queue);
if (!pPacket) if (!pPacket ||
(pPacket->Endpoint >= ENDPOINT_MAX) ||
(pPacket->Endpoint <= ENDPOINT_UNUSED))
break; break;
log_packet_info(target, pPacket); log_packet_info(target, pPacket);
break; break;
@@ -1370,7 +1372,9 @@ static void get_htc_send_packets(HTC_TARGET *target,
/* bus suspended, runtime resume issued */ /* bus suspended, runtime resume issued */
QDF_ASSERT(HTC_PACKET_QUEUE_DEPTH(pQueue) == 0); QDF_ASSERT(HTC_PACKET_QUEUE_DEPTH(pQueue) == 0);
pPacket = htc_get_pkt_at_head(tx_queue); pPacket = htc_get_pkt_at_head(tx_queue);
if (!pPacket) if (!pPacket ||
(pPacket->Endpoint >= ENDPOINT_MAX) ||
(pPacket->Endpoint <= ENDPOINT_UNUSED))
break; break;
log_packet_info(target, pPacket); log_packet_info(target, pPacket);
break; break;