icnss: Add check on msa region
When icnss receive server arrive it send wlfw_msa_mem_info_send_sync_msg
QMI request to firmware and in response expect range of addresses and size
to be mapped. Add condition to check whether addresses in response falls
under valid range otherwise it asserts.
CRs-Fixed: 2448763
Bug: 129282574
Bug: 132193791
Signed-off-by: Naman Padhiar <npadhiar@codeaurora.org>
Signed-off-by: Rajeev Kumar <quic_rajekuma@quicinc.com>
(cherry picked from commit a6229910e2161b45cebd45f6c2918ca9d9a7d73c)
Change-Id: I9a8542cb6c3b3cefe112d1f08a76dd2eadf68d2f
diff --git a/drivers/soc/qcom/icnss.c b/drivers/soc/qcom/icnss.c
index 28b0b37..3271039 100644
--- a/drivers/soc/qcom/icnss.c
+++ b/drivers/soc/qcom/icnss.c
@@ -1147,6 +1147,7 @@
struct wlfw_msa_info_req_msg_v01 req;
struct wlfw_msa_info_resp_msg_v01 resp;
struct msg_desc req_desc, resp_desc;
+ uint64_t max_mapped_addr;
if (!penv || !penv->wlfw_clnt)
return -ENODEV;
@@ -1193,9 +1194,23 @@
goto out;
}
+ max_mapped_addr = penv->msa_pa + penv->msa_mem_size;
penv->stats.msa_info_resp++;
penv->nr_mem_region = resp.mem_region_info_len;
for (i = 0; i < resp.mem_region_info_len; i++) {
+
+ if (resp.mem_region_info[i].size > penv->msa_mem_size ||
+ resp.mem_region_info[i].region_addr > max_mapped_addr ||
+ resp.mem_region_info[i].region_addr < penv->msa_pa ||
+ resp.mem_region_info[i].size +
+ resp.mem_region_info[i].region_addr > max_mapped_addr) {
+ icnss_pr_dbg("Received out of range Addr: 0x%llx Size: 0x%x\n",
+ resp.mem_region_info[i].region_addr,
+ resp.mem_region_info[i].size);
+ ret = -EINVAL;
+ goto fail_unwind;
+ }
+
penv->mem_region[i].reg_addr =
resp.mem_region_info[i].region_addr;
penv->mem_region[i].size =
@@ -1210,6 +1225,8 @@
return 0;
+fail_unwind:
+ memset(&penv->mem_region[0], 0, sizeof(penv->mem_region[0]) * i);
out:
penv->stats.msa_info_err++;
ICNSS_QMI_ASSERT();
