Commit a4a4d6b9 authored Oct 30, 2024 by Karthikeyan Periyasamy Committed by Chen Zhongjin Oct 30, 2024

wifi: ath12k: fix array out-of-bound access in SoC stats

stable inclusion
from stable-v6.6.55
commit d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR8S
CVE: CVE-2024-49931

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f



--------------------------------

[ Upstream commit e106b7ad13c1d246adaa57df73edb8f8b8acb240 ]

Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()
function access ath12k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To
fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240704070811.4186543-2-quic_periyasa@quicinc.com


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>

parent 1fd61a1a

drivers/net/wireless/ath/ath12k/dp_rx.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2670,7 +2670,7 @@ int ath12k_dp_rx_process(struct ath12k_base *ab, int ring_id,
		if (push_reason !=
		HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION) {
		dev_kfree_skb_any(msdu);
		ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++;
		ab->soc_stats.hal_reo_error[ring_id]++;
		continue;
		}