Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ec3bbe10 authored by Anurag Chouhan's avatar Anurag Chouhan Committed by Gerrit - the friendly Code Review server
Browse files

wcnss: Fix buffer overflow in wcnss_prealloc_get 



There is potential integer truncation in the wcnss_prealloc_get api.
size_t is 8 byte on x64 platform and "unsigned int" is 4 byte.
To avoid this integer truncation, pass size as size_t instead
of unsigned int.

CRs-Fixed: 2269610
Change-Id: I14b274dd7cad98b55fdce1aaa27783272231afde
Signed-off-by: default avatarAnurag Chouhan <achouhan@codeaurora.org>
parent 5e6bd0a2

drivers/net/wireless/cnss_prealloc/cnss_prealloc.c

+8 −7
Original line number Diff line number Diff line 
/* Copyright (c) 2012,2014-2016 The Linux Foundation. All rights reserved.

/* Copyright (c) 2012, 2014-2016, 2018 The Linux Foundation. All rights

 * reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -35,7 +36,7 @@ static struct dentry *debug_base; 


struct wcnss_prealloc {

	int occupied;

	unsigned int size;

	size_t size;

	void *ptr;

#ifdef CONFIG_SLUB_DEBUG

	unsigned long stack_trace[WCNSS_MAX_STACK_TRACE];
@@ -213,7 +214,7 @@ static inline void wcnss_prealloc_save_stack_trace(struct wcnss_prealloc *entry) 
}

#endif



void *wcnss_prealloc_get(unsigned int size)

void *wcnss_prealloc_get(size_t size)

{

	int i = 0;

	unsigned long flags;
@@ -233,7 +234,7 @@ void *wcnss_prealloc_get(unsigned int size) 
	}

	spin_unlock_irqrestore(&alloc_lock, flags);



	pr_err("wcnss: %s: prealloc not available for size: %d\n",

	pr_err("wcnss: %s: prealloc not available for size: %zu\n",

	       __func__, size);



	return NULL;
@@ -322,7 +323,7 @@ void wcnss_prealloc_check_memory_leak(void) 
			leak_detected = true;

		}



		pr_err("Size: %u, addr: %pK, backtrace:\n",

		pr_err("Size: %zu, addr: %pK, backtrace:\n",

		       wcnss_allocs[i].size, wcnss_allocs[i].ptr);

		print_stack_trace(&wcnss_allocs[i].trace, 1);

	}

include/linux/wcnss_wlan.h

+2 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -120,7 +120,7 @@ int wcnss_get_wlan_mac_address(char mac_addr[WLAN_MAC_ADDR_SIZE]); 
void wcnss_allow_suspend(void);

void wcnss_prevent_suspend(void);

int wcnss_hardware_type(void);

void *wcnss_prealloc_get(unsigned int size);

void *wcnss_prealloc_get(size_t size);

int wcnss_prealloc_put(void *ptr);

void wcnss_reset_fiq(bool clk_chk_en);

void wcnss_suspend_notify(void);

include/net/cnss_prealloc.h

+2 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2015-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -18,7 +18,7 @@ 
#define WCNSS_PRE_SKB_ALLOC_GET_THRESHOLD (50*1024)

#endif



extern void *wcnss_prealloc_get(unsigned int size);

extern void *wcnss_prealloc_get(size_t size);

extern int wcnss_prealloc_put(void *ptr);

extern int wcnss_pre_alloc_reset(void);