Age | Commit message (Collapse) | Author |
|
When handling WMI_ROAM_SCAN_STATS_EVENTID,
the number of channels scanned for each roam trigger is fetched from
wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count),
The total number of channels for all the roam triggers is fetched from
param_buf->num_roam_scan_chan_info.
chan_idx is the index used to fetch the current channel info TLV to be
read. So if wmi_roam_scan_info->roam_scan_channel_count provided by
firmware exceeds the total param_buf->num_roam_scan_chan_info starting
from given chan_idx then OOB access of event buffer can happen.
To avoid this, validate the sum of the current chan_idx and
src_data->roam_scan_channel_count against
evt_buf->num_roam_scan_chan_info.
Bug: 280447263
Test: Regression Test
Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8
CRs-Fixed: 3357714
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 478053055
Change-Id: I30e8e19b3c5bf0f8b074c1ee90c85d667f5cd0f4
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Tid in RX frame header may be larger than MAX TID allowed
value, this will lead a out of boundary array access and
lead to kernel crash at last. Change is aimed to do a TID
check and discard such frame when necessary.
Bug: 261470732
Test: Regression Test
Change-Id: I11f312668a5a42d690c058550f22b0f36f952104
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
CRs-Fixed: 3264581
|
|
SBMerger: 410055097
Change-Id: I9f1307e0e17fc2a4b9368860af7f7d8494a723ac
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: Idd8c7a1d289c2453f54572711c907347910e845e
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I68d7a72dae21b00816af2f2adf0a9d5dc8285673
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I5f5df6feeeff63e0c49d88597f925b2134fe32a8
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: Ic93d1889ace993d5992a6a73e0990283614474ff
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-barbet-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: I3dad163c435883d099cdff4810b0ed2074fe7859
|
|
android-msm-pixel-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: Id846fa21d4982f0fad8954436c58af7ba5647575
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
In the WMI_PDEV_FIPS_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
in fixed params is less than or equal to the actual buffer
length before processing the data.
Bug: 206300486
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06
CRs-Fixed: 3009887
|
|
In the WMI_PDEV_FIPS_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
in fixed params is less than or equal to the actual buffer
length before processing the data.
Bug: 206300486
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06
CRs-Fixed: 3009887
|
|
API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.
If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.
Fix is to add a sanity check for num_data to avoid the OOB
read.
Bug: 204909067
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
CRs-Fixed: 3001178
|
|
During beacon or probe response, if channel is dfs && frame type
is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid"
to deal with the packet. If the ie id matches with SSID then OOB
read may occur in ie_len as it is validated with upper bound of
ie_ssid.
Validate the ie length first. If it is more than 0 then copy
memory to SSID which are equivalent to ie length.
Bug: 204905738
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a
CRs-Fixed: 3007473
|
|
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.
Bug: 204012850
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
|
|
Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.
Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.
Bug: 202032183
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.
If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.
Fix is to add a sanity check for num_data to avoid the OOB
read.
Bug: 204909067
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
CRs-Fixed: 3001178
|
|
During beacon or probe response, if channel is dfs && frame type
is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid"
to deal with the packet. If the ie id matches with SSID then OOB
read may occur in ie_len as it is validated with upper bound of
ie_ssid.
Validate the ie length first. If it is more than 0 then copy
memory to SSID which are equivalent to ie length.
Bug: 204905738
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a
CRs-Fixed: 3007473
|
|
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.
Bug: 204012850
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
|
|
Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.
Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.
Bug: 202032183
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
SBMerger: 379283923
Change-Id: I261e9f4421a0dde9225bf3fb90ec271e72b96c8b
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
|
SBMerger: 379283923
Change-Id: I71b016da81e84b9a413e398ea629e7568133fd5a
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Replace WMI_LOGI() with wmi_* appropriate log level.
Bug: 199223496
Test: Basic function test
Change-Id: I7b0c32a2aefc5eb300348edbc6a60e7ad0401439
CRs-Fixed: 2892422
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Replace WMI_LOGI() with wmi_* appropriate log level.
Bug: 199223496
Test: Basic function test
Change-Id: I7b0c32a2aefc5eb300348edbc6a60e7ad0401439
CRs-Fixed: 2892422
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Bug: 194667419
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: I18b176b089c3988047a6cb2ffb90c4cedf23d322
|
|
SBMerger: 379283923
Change-Id: I9fd640e63114b71bb6331e0ae3ae7140de857eab
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 379283923
Change-Id: Iddca3c7bbc4bfc5d04c7ec923863324766ae6c69
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Bug: 175626671
Test: Regression test
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Bug: 175626671
Test: Regression test
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 379283923
Change-Id: I15896ea7f766b46ac1897d3c6dba051f48b8a6a5
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 379283923
Change-Id: I17c5df63edbb43bd9f8fe8b71d1aaf838a115965
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 379283923
Change-Id: If5d400924f40a1bb3b5935cd81c0ef19161c4ed9
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 379283923
Change-Id: If8d1436d95d20e3930a05dd61b1bf7b7da486a5b
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit bc3b0905f268c6cf64268be944ac2a28d75fa8a4)
|
|
android-msm-pixel-4.19-rvc-qpr3
Sep 2021.1
Bug: 192411697
Change-Id: I189118f0e3889120068f48c5dde4f8e337a3e2a2
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 351186807
Change-Id: I88a68b1b365198831291b8b4fb9bad174558d62f
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-barbet-4.19-rvc
Aug 2021.1
Bug: 189715888
Bug: 189715042
Change-Id: I63eedce965f031c99291a594f7a3f1e876f0ce80
|
|
SBMerger: 351186807
Change-Id: I923e3f5d28dc0ad507aec3686e8d2c4ce2fd096d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-pixel-4.19-rvc-qpr3
Aug 2021.1
Bug: 189715888
Change-Id: I7e2510f0b1d97ea72ae908563e2044f7ddcc1f69
|
|
Reading extcaps from the scan entry currently checks if the byte
to be accessed is less than the length of the IE. Following this,
it will attempt to access the extcap IE using the requested byte
as the index.
Avoid accessing the extcap IE if the byte is greater than one less
than the ie_len (since indexing starts from zero).
Bug: 184561362
CRs-Fixed: 2856212
Change-Id: Ie357edcd6095570c05871af657381c287e92504e
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit cfd42be7efa8b409ec4614fc41659475ef6e04f4)
|
|
The mac address is tried to be logged from a NULL
bss data pointer, which leads to unwanted behavior.
Remove the logging of mac address from the NULL
bss data pointer.
Bug: 182471523
Test: Regression Test
Change-Id: I83a9e8b1dac0bd4983bf074863987d39187f9db9
CRs-Fixed: 2761731
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|