qcacmn: Fix possible OOB read in cnss_diag_cmd_handler

The nla_data coming from user space is a variable length data, but the driver is checking nla_len() against a fixed length struct only. It is possible that the nla_len() check against fixed length struct may pass and if the nla_data does not have the payload and it may result in possible out-of-bound read (slot->payload). Hence the fix is to, check if nla_len() is atleast more than the fixed length struct and also account for payload length. Change-Id: I2e68d55c0411cff55908c1704031e3c070f3316e CRs-Fixed: 2825763
2020-12-02 17:50:19 -08:00 · 2020-12-02 17:50:19 -08:00 · f7248d774e
commit f7248d774e
parent 4e87e6c554
1 changed files with 8 additions and 5 deletions
--- a/utils/fwlog/dbglog_host.c
+++ b/utils/fwlog/dbglog_host.c
@ -4224,6 +4224,7 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 {
 	struct dbglog_slot *slot = NULL;
 	struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1];
 	int len;
 	/*
 	 * audit note: it is ok to pass a NULL policy here since a
@ -4242,15 +4243,17 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 		return;
 	}
-	if (nla_len(tb[CLD80211_ATTR_DATA]) != sizeof(struct dbglog_slot)) {
+	len = nla_len(tb[CLD80211_ATTR_DATA]);
-		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length check fails\n",
+	if (len < sizeof(struct dbglog_slot)) {
 		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length less than sizeof(struct dbglog_slot)\n",
 				__func__));
 		return;
 	}
 	slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]);
-	if (!slot) {
+	slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]);
-		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: data NULL\n", __func__));
+	if (len != (sizeof(struct dbglog_slot) + (uint64_t) slot->length)) {
 		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length check fails\n",
 				__func__));
 		return;
 	}