releases/3.1.9/wl12xx-check-buffer-bound-when-processing-nvs-data.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 Mon Sep 17 00:00:00 2001
 From: Pontus Fuchs <pontus.fuchs@gmail.com>
 Date: Tue, 18 Oct 2011 09:23:42 +0200
 Subject: wl12xx: Check buffer bound when processing nvs data

 From: Pontus Fuchs <pontus.fuchs@gmail.com>

 commit f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 upstream.

 An nvs with malformed contents could cause the processing of the
 calibration data to read beyond the end of the buffer. Prevent this
 from happening by adding bound checking.

 Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
 Reviewed-by: Luciano Coelho <coelho@ti.com>
 Signed-off-by: Luciano Coelho <coelho@ti.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  drivers/net/wireless/wl12xx/boot.c |   14 ++++++++++++++
  1 file changed, 14 insertions(+)

 --- a/drivers/net/wireless/wl12xx/boot.c
 +++ b/drivers/net/wireless/wl12xx/boot.c
 @@ -358,6 +358,9 @@ static int wl1271_boot_upload_nvs(struct
  		nvs_ptr += 3;

  		for (i = 0; i < burst_len; i++) {
 +			if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len)
 +				goto out_badnvs;
 +
  			val = (nvs_ptr[0] | (nvs_ptr[1] << 8)
  			       | (nvs_ptr[2] << 16) | (nvs_ptr[3] << 24));

 @@ -369,6 +372,9 @@ static int wl1271_boot_upload_nvs(struct
  			nvs_ptr += 4;
  			dest_addr += 4;
  		}
 +
 +		if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
 +			goto out_badnvs;
  	}

  	/*
 @@ -380,6 +386,10 @@ static int wl1271_boot_upload_nvs(struct
  	 */
  	nvs_ptr = (u8 *)wl->nvs +
  			ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4);
 +
 +	if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
 +		goto out_badnvs;
 +
  	nvs_len -= nvs_ptr - (u8 *)wl->nvs;

  	/* Now we must set the partition correctly */
 @@ -395,6 +405,10 @@ static int wl1271_boot_upload_nvs(struct

  	kfree(nvs_aligned);
  	return 0;
 +
 +out_badnvs:
 +	wl1271_error("nvs data is malformed");
 +	return -EILSEQ;
  }

  static void wl1271_boot_enable_interrupts(struct wl1271 *wl)
	From f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 Mon Sep 17 00:00:00 2001
	From: Pontus Fuchs <pontus.fuchs@gmail.com>
	Date: Tue, 18 Oct 2011 09:23:42 +0200
	Subject: wl12xx: Check buffer bound when processing nvs data

	From: Pontus Fuchs <pontus.fuchs@gmail.com>

	commit f6efe96edd9c41c624c8f4ddbc4930c1a2d8f1e1 upstream.

	An nvs with malformed contents could cause the processing of the
	calibration data to read beyond the end of the buffer. Prevent this
	from happening by adding bound checking.

	Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
	Reviewed-by: Luciano Coelho <coelho@ti.com>
	Signed-off-by: Luciano Coelho <coelho@ti.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	drivers/net/wireless/wl12xx/boot.c \| 14 ++++++++++++++
	1 file changed, 14 insertions(+)

	--- a/drivers/net/wireless/wl12xx/boot.c
	+++ b/drivers/net/wireless/wl12xx/boot.c
	@@ -358,6 +358,9 @@ static int wl1271_boot_upload_nvs(struct
	nvs_ptr += 3;

	for (i = 0; i < burst_len; i++) {
	+ if (nvs_ptr + 3 >= (u8 *) wl->nvs + nvs_len)
	+ goto out_badnvs;
	+
	val = (nvs_ptr[0] \| (nvs_ptr[1] << 8)
	\| (nvs_ptr[2] << 16) \| (nvs_ptr[3] << 24));

	@@ -369,6 +372,9 @@ static int wl1271_boot_upload_nvs(struct
	nvs_ptr += 4;
	dest_addr += 4;
	}
	+
	+ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
	+ goto out_badnvs;
	}

	/*
	@@ -380,6 +386,10 @@ static int wl1271_boot_upload_nvs(struct
	*/
	nvs_ptr = (u8 *)wl->nvs +
	ALIGN(nvs_ptr - (u8 *)wl->nvs + 7, 4);
	+
	+ if (nvs_ptr >= (u8 *) wl->nvs + nvs_len)
	+ goto out_badnvs;
	+
	nvs_len -= nvs_ptr - (u8 *)wl->nvs;

	/* Now we must set the partition correctly */
	@@ -395,6 +405,10 @@ static int wl1271_boot_upload_nvs(struct

	kfree(nvs_aligned);
	return 0;
	+
	+out_badnvs:
	+ wl1271_error("nvs data is malformed");
	+ return -EILSEQ;
	}

	static void wl1271_boot_enable_interrupts(struct wl1271 *wl)