[PATCH v2] soc: qcom: qmi_encdec: Restrict string length in decode

From: Praveenkumar I
Date: Mon Jul 31 2023 - 06:04:28 EST

Next message: Jerome Brunet: "Re: [PATCH 01/12] ASoC: dt-bindings: amlogic,gx-sound-card: correct maxItems constraints"
Previous message: Qu Wenruo: "Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge"
Next in thread: Bjorn Andersson: "Re: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in decode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The QMI TLV value for strings in a lot of qmi element info structures
account for null terminated strings with MAX_LEN + 1. If a string is
actually MAX_LEN + 1 length, this will cause an out of bounds access
when the NULL character is appended in decoding.

Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Chris Lew <quic_clew@xxxxxxxxxxx>
Signed-off-by: Praveenkumar I <quic_ipkumar@xxxxxxxxxxx>
---
[v2]:
Added Fixes and Cc: stable

drivers/soc/qcom/qmi_encdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
index b7158e3c3a0b..5c7161b18b72 100644
--- a/drivers/soc/qcom/qmi_encdec.c
+++ b/drivers/soc/qcom/qmi_encdec.c
@@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array,
decoded_bytes += rc;
}

- if (string_len > temp_ei->elem_len) {
- pr_err("%s: String len %d > Max Len %d\n",
+ if (string_len >= temp_ei->elem_len) {
+ pr_err("%s: String len %d >= Max Len %d\n",
__func__, string_len, temp_ei->elem_len);
return -ETOOSMALL;
} else if (string_len > tlv_len) {
--
2.34.1

Next message: Jerome Brunet: "Re: [PATCH 01/12] ASoC: dt-bindings: amlogic,gx-sound-card: correct maxItems constraints"
Previous message: Qu Wenruo: "Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge"
Next in thread: Bjorn Andersson: "Re: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in decode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]