Skip to content

Commit cdf62e5

Browse files
PlaidCatPlaidCat
committed
wifi: brcmfmac: pcie: handle randbuf allocation failure
jira LE-1907 cve CVE-2024-38575 Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4 commit-author Duoming Zhou <duoming@zju.edu.cn> commit 316f790 The kzalloc() in brcmf_pcie_download_fw_nvram() will return null if the physical memory has run out. As a result, if we use get_random_bytes() to generate random bytes in the randbuf, the null pointer dereference bug will happen. In order to prevent allocation failure, this patch adds a separate function using buffer on kernel stack to generate random bytes in the randbuf, which could prevent the kernel stack from overflow. Fixes: 91918ce ("wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device") Suggested-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://msgid.link/20240306140437.18177-1-duoming@zju.edu.cn (cherry picked from commit 316f790) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent 8363d06 commit cdf62e5

File tree

1 file changed

+10
-5
lines changed
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac

1 file changed

+10
-5
lines changed

drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1675,6 +1675,15 @@ struct brcmf_random_seed_footer {
16751675
#define BRCMF_RANDOM_SEED_MAGIC 0xfeedc0de
16761676
#define BRCMF_RANDOM_SEED_LENGTH 0x100
16771677

1678+
static noinline_for_stack void
1679+
brcmf_pcie_provide_random_bytes(struct brcmf_pciedev_info *devinfo, u32 address)
1680+
{
1681+
u8 randbuf[BRCMF_RANDOM_SEED_LENGTH];
1682+
1683+
get_random_bytes(randbuf, BRCMF_RANDOM_SEED_LENGTH);
1684+
memcpy_toio(devinfo->tcm + address, randbuf, BRCMF_RANDOM_SEED_LENGTH);
1685+
}
1686+
16781687
static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
16791688
const struct firmware *fw, void *nvram,
16801689
u32 nvram_len)
@@ -1717,7 +1726,6 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
17171726
.length = cpu_to_le32(rand_len),
17181727
.magic = cpu_to_le32(BRCMF_RANDOM_SEED_MAGIC),
17191728
};
1720-
void *randbuf;
17211729

17221730
/* Some Apple chips/firmwares expect a buffer of random
17231731
* data to be present before NVRAM
@@ -1729,10 +1737,7 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
17291737
sizeof(footer));
17301738

17311739
address -= rand_len;
1732-
randbuf = kzalloc(rand_len, GFP_KERNEL);
1733-
get_random_bytes(randbuf, rand_len);
1734-
memcpy_toio(devinfo->tcm + address, randbuf, rand_len);
1735-
kfree(randbuf);
1740+
brcmf_pcie_provide_random_bytes(devinfo, address);
17361741
}
17371742
} else {
17381743
brcmf_dbg(PCIE, "No matching NVRAM file found %s\n",

0 commit comments

Comments
 (0)