[PATCH v3 2/3] wifi: wlcore: fix OOB read from firmware max_buff_size in logger handler

[Tristan Madani]

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled max_buff_size field is used to compute buffer
offsets in wlcore_event_fw_logger() without validation against the
4128-byte kernel allocation. An inflated value causes out-of-bounds
reads from kernel heap, with the data written to the debugfs-accessible
fwlog ring buffer.

Cap max_buff_size at the allocation size minus the header offset.

Fixes: 3719c17e1816 ("wlcore/wl18xx: fw logger over sdio")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/ti/wlcore/event.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ti/wlcore/event.c b/drivers/net/wireless/ti/wlcore/event.c
index 6c3a8ea9613e9..26c74dfcaeeff 100644
--- a/drivers/net/wireless/ti/wlcore/event.c
+++ b/drivers/net/wireless/ti/wlcore/event.c
@@ -61,6 +61,13 @@ int wlcore_event_fw_logger(struct wl1271 *wl)
 	if (actual_len == 0)
 		goto free_out;
 
+	if (le32_to_cpu(fw_log.max_buff_size) >
+	    WL18XX_LOGGER_SDIO_BUFF_MAX - WL18XX_LOGGER_BUFF_OFFSET) {
+		wl1271_error("fw logger: max_buff_size %u exceeds buffer\n",
+			     le32_to_cpu(fw_log.max_buff_size));
+		goto free_out;
+	}
+
 	/* Calculate the internal pointer to the fwlog structure */
 	addr_ptr = internal_fw_addrbase + addr;
 
-- 
2.47.3