Commit 536fc5b5 authored by Emmanuel Grumbach's avatar Emmanuel Grumbach Committed by Zhengchao Shao
Browse files

wifi: iwlwifi: mvm: don't read past the mfuart notifcation 

stable inclusion
from stable-v6.6.35
commit a05018739a5e6b9dc112c95bd4c59904062c8940
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACQYV
CVE: CVE-2024-40941

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a05018739a5e6b9dc112c95bd4c59904062c8940



---------------------------

[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]

In case the firmware sends a notification that claims it has more data
than it has, we will read past that was allocated for the notification.
Remove the print of the buffer, we won't see it by default. If needed,
we can see the content with tracing.

This was reported by KFENCE.

Fixes: bdccdb85 ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarMiri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent 1da53bb2

drivers/net/wireless/intel/iwlwifi/mvm/fw.c

+0 −10
Original line number Diff line number Diff line
@@ -92,20 +92,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, 
{

	struct iwl_rx_packet *pkt = rxb_addr(rxb);

	struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data;

	__le32 *dump_data = mfu_dump_notif->data;

	int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32);

	int i;



	if (mfu_dump_notif->index_num == 0)

		IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n",

			 le32_to_cpu(mfu_dump_notif->assert_id));



	for (i = 0; i < n_words; i++)

		IWL_DEBUG_INFO(mvm,

			       "MFUART assert dump, dword %u: 0x%08x\n",

			       le16_to_cpu(mfu_dump_notif->index_num) *

			       n_words + i,

			       le32_to_cpu(dump_data[i]));

}



static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,