Commit d63f057f authored by Emmanuel Grumbach's avatar Emmanuel Grumbach Committed by Zhengchao Shao
Browse files

wifi: iwlwifi: mvm: don't read past the mfuart notifcation 

stable inclusion
from stable-v5.10.221
commit 46c59a25337049a2a230ce7f7c3b9f21d0aaaad7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACQYV
CVE: CVE-2024-40941

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=46c59a25337049a2a230ce7f7c3b9f21d0aaaad7



---------------------------

[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]

In case the firmware sends a notification that claims it has more data
than it has, we will read past that was allocated for the notification.
Remove the print of the buffer, we won't see it by default. If needed,
we can see the content with tracing.

This was reported by KFENCE.

Fixes: bdccdb85 ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarMiri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent 6a89f168

drivers/net/wireless/intel/iwlwifi/mvm/fw.c

+0 −10
Original line number Diff line number Diff line
@@ -196,20 +196,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, 
{

	struct iwl_rx_packet *pkt = rxb_addr(rxb);

	struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data;

	__le32 *dump_data = mfu_dump_notif->data;

	int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32);

	int i;



	if (mfu_dump_notif->index_num == 0)

		IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n",

			 le32_to_cpu(mfu_dump_notif->assert_id));



	for (i = 0; i < n_words; i++)

		IWL_DEBUG_INFO(mvm,

			       "MFUART assert dump, dword %u: 0x%08x\n",

			       le16_to_cpu(mfu_dump_notif->index_num) *

			       n_words + i,

			       le32_to_cpu(dump_data[i]));

}



static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,