Commit f2bfafb0 authored Mar 21, 2024 by Emmanuel Grumbach Committed by Guo Mengqi Mar 21, 2024

wifi: iwlwifi: fix a memory corruption

stable inclusion
from stable-v5.10.210
commit 05dd9facfb9a1e056752c0901c6e86416037d15a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I97NI6
CVE: CVE-2024-26610

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=05dd9facfb9a1e056752c0901c6e86416037d15a

--------------------------------

commit cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d upstream.

iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that
if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in
bytes, we'll write past the buffer.

Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218233


Fixes: cf29c5b6 ("iwlwifi: dbg_ini: implement time point handling")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240111150610.2d2b8b870194.I14ed76505a5cf87304e0c9cc05cc0ae85ed3bf91@changeid


Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guo Mengqi <guomengqi3@huawei.com>

parent c2bdc9e9

drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -876,7 +876,7 @@ static int iwl_dbg_tlv_override_trig_node(struct iwl_fw_runtime *fwrt,
		node_trig = (void *)node_tlv->data;
		}

		memcpy(node_trig->data + offset, trig->data, trig_data_len);
		memcpy((u8 *)node_trig->data + offset, trig->data, trig_data_len);
		node_tlv->length = cpu_to_le32(size);

		if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_CFG) {