| From 89f8765a11d8df49296d92c404067f9b5c58ee26 Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Wed, 27 Oct 2021 10:08:19 +0200 |
| Subject: mwifiex: fix division by zero in fw download path |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 89f8765a11d8df49296d92c404067f9b5c58ee26 upstream. |
| |
| Add the missing endpoint sanity checks to probe() to avoid division by |
| zero in mwifiex_write_data_sync() in case a malicious device has broken |
| descriptors (or when doing descriptor fuzz testing). |
| |
| Only add checks for the firmware-download boot stage, which require both |
| command endpoints, for now. The driver looks like it will handle a |
| missing endpoint during normal operation without oopsing, albeit not |
| very gracefully as it will try to submit URBs to the default pipe and |
| fail. |
| |
| Note that USB core will reject URBs submitted for endpoints with zero |
| wMaxPacketSize but that drivers doing packet-size calculations still |
| need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip |
| endpoint descriptors with maxpacket=0")). |
| |
| Fixes: 4daffe354366 ("mwifiex: add support for Marvell USB8797 chipset") |
| Cc: stable@vger.kernel.org # 3.5 |
| Cc: Amitkumar Karwar <akarwar@marvell.com> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Reviewed-by: Brian Norris <briannorris@chromium.org> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Link: https://lore.kernel.org/r/20211027080819.6675-4-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/wireless/marvell/mwifiex/usb.c | 16 ++++++++++++++++ |
| 1 file changed, 16 insertions(+) |
| |
| --- a/drivers/net/wireless/marvell/mwifiex/usb.c |
| +++ b/drivers/net/wireless/marvell/mwifiex/usb.c |
| @@ -505,6 +505,22 @@ static int mwifiex_usb_probe(struct usb_ |
| } |
| } |
| |
| + switch (card->usb_boot_state) { |
| + case USB8XXX_FW_DNLD: |
| + /* Reject broken descriptors. */ |
| + if (!card->rx_cmd_ep || !card->tx_cmd_ep) |
| + return -ENODEV; |
| + if (card->bulk_out_maxpktsize == 0) |
| + return -ENODEV; |
| + break; |
| + case USB8XXX_FW_READY: |
| + /* Assume the driver can handle missing endpoints for now. */ |
| + break; |
| + default: |
| + WARN_ON(1); |
| + return -ENODEV; |
| + } |
| + |
| usb_set_intfdata(intf, card); |
| |
| ret = mwifiex_add_card(card, &card->fw_done, &usb_ops, |