| Age | Commit message (Collapse) | Author |
|---|
|
SBMerger: 410055097
Change-Id: Idd8c7a1d289c2453f54572711c907347910e845e
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 410055097
Change-Id: I68d7a72dae21b00816af2f2adf0a9d5dc8285673
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-barbet-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: I3dad163c435883d099cdff4810b0ed2074fe7859
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
In the WMI_PDEV_FIPS_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
in fixed params is less than or equal to the actual buffer
length before processing the data.
Bug: 206300486
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06
CRs-Fixed: 3009887
|
|
API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.
If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.
Fix is to add a sanity check for num_data to avoid the OOB
read.
Bug: 204909067
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
CRs-Fixed: 3001178
|
|
During beacon or probe response, if channel is dfs && frame type
is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid"
to deal with the packet. If the ie id matches with SSID then OOB
read may occur in ie_len as it is validated with upper bound of
ie_ssid.
Validate the ie length first. If it is more than 0 then copy
memory to SSID which are equivalent to ie length.
Bug: 204905738
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a
CRs-Fixed: 3007473
|
|
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.
Bug: 204012850
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
|
|
Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.
Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.
Bug: 202032183
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
|
|
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.
Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.
Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
|
|
Replace WMI_LOGI() with wmi_* appropriate log level.
Bug: 199223496
Test: Basic function test
Change-Id: I7b0c32a2aefc5eb300348edbc6a60e7ad0401439
CRs-Fixed: 2892422
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Bug: 175626671
Test: Regression test
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 379283923
Change-Id: I17c5df63edbb43bd9f8fe8b71d1aaf838a115965
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle ipa buffer smmu map/unmap with below changes,
(1) Do IPA smmu unmap for RX buffer received from REO
exception/WBM RX release/REO DST/RXDMA DST ring.
(2) Align IPA smmu map length to qdf_nbuf_map_nytes_single()
with fixed length.
Bug: 190403734
Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69
CRs-Fixed: 2728644
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit bc3b0905f268c6cf64268be944ac2a28d75fa8a4)
|
|
SBMerger: 351186807
Change-Id: I88a68b1b365198831291b8b4fb9bad174558d62f
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-barbet-4.19-rvc
Aug 2021.1
Bug: 189715888
Bug: 189715042
Change-Id: I63eedce965f031c99291a594f7a3f1e876f0ce80
|
|
Reading extcaps from the scan entry currently checks if the byte
to be accessed is less than the length of the IE. Following this,
it will attempt to access the extcap IE using the requested byte
as the index.
Avoid accessing the extcap IE if the byte is greater than one less
than the ie_len (since indexing starts from zero).
Bug: 184561362
CRs-Fixed: 2856212
Change-Id: Ie357edcd6095570c05871af657381c287e92504e
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit cfd42be7efa8b409ec4614fc41659475ef6e04f4)
|
|
The mac address is tried to be logged from a NULL
bss data pointer, which leads to unwanted behavior.
Remove the logging of mac address from the NULL
bss data pointer.
Bug: 182471523
Test: Regression Test
Change-Id: I83a9e8b1dac0bd4983bf074863987d39187f9db9
CRs-Fixed: 2761731
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Issue: Currently, host doesn't validate pkid_count
before populating data in rsn->pmkid. rsn->pmkid array
can store only 4/MAX_PMKID pmkids which may cause OOB
write if host tries to copy pmkids more than MAX_PMKID.
Fix: validate pkid_count before populating rsn->pmkid
and return Failure in case pkid_count becomes greater
than MAX_PMKID to avoid OOB.
Bug: 188910236
Test: Regression Test
Change-Id: I211ea791a52ecb84872d139929f999a89db240d5
CRs-Fixed: 2724407
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Issue: Currently, host doesn't validate pkid_count
before populating data in rsn->pmkid. rsn->pmkid array
can store only 4/MAX_PMKID pmkids which may cause OOB
write if host tries to copy pmkids more than MAX_PMKID.
Fix: validate pkid_count before populating rsn->pmkid
and return Failure in case pkid_count becomes greater
than MAX_PMKID to avoid OOB.
Bug: 188910236
Test: Regression Test
Change-Id: I211ea791a52ecb84872d139929f999a89db240d5
CRs-Fixed: 2724407
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 351186807
Change-Id: Ie32d730d240255cbb69da6c1a85e8d4e517f1907
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Reading extcaps from the scan entry currently checks if the byte
to be accessed is less than the length of the IE. Following this,
it will attempt to access the extcap IE using the requested byte
as the index.
Avoid accessing the extcap IE if the byte is greater than one less
than the ie_len (since indexing starts from zero).
Bug: 184561362
CRs-Fixed: 2856212
Change-Id: Ie357edcd6095570c05871af657381c287e92504e
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit cfd42be7efa8b409ec4614fc41659475ef6e04f4)
|
|
Reading extcaps from the scan entry currently checks if the byte
to be accessed is less than the length of the IE. Following this,
it will attempt to access the extcap IE using the requested byte
as the index.
Avoid accessing the extcap IE if the byte is greater than one less
than the ie_len (since indexing starts from zero).
Bug: 184561362
CRs-Fixed: 2856212
Change-Id: Ie357edcd6095570c05871af657381c287e92504e
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 351186807
Change-Id: I1237936acd11722fa02509d7dd4494aebb02c900
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Modify the length check to drop beacons which has
WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH IE length less than 3. This is to
accommodate the addition of fields to this IE in the future.
Bug: 182351550
Change-Id: I8cba60b631022f4348cce90ae41a003964040ad1
CRs-Fixed: 2884249
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.
1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME
Bug: 182351550
Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873394
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
When parsing FILS Indication IE, the data pointer is not
validated while moving the pointer which may cause
out of bound issue.
Validate data pointer before moving pointer.
Bug: 182634675
Change-Id: Ib20f78fe58d7a4c8f9245e6b8d28212499cc6f50
CRs-Fixed: 2842475
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
During multiple BSSID scan ie parse, there is memory allocation
on new_ie variable of size 1024 which may create buffer overflow
in util_gen_new_ie() if ie length is greater than 1024.
As part of fix, allocate memory of size ie length in new_ie.
And also add check before copying to pos variable in
util_gen_new_ie().
Bug: 182634675
Change-Id: I55e0819817b5a616684067170bf28a314a145fc2
CRs-Fixed: 2867353
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add CDP interface support for flushing fragments for a
particular peer.
Bug: 182958222
Change-Id: Ic59843408037b9c858599be13727422c2e3031cd
CRs-Fixed: 2875946
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Modify the length check to drop beacons which has
WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH IE length less than 3. This is to
accommodate the addition of fields to this IE in the future.
Bug: 182351550
Change-Id: I8cba60b631022f4348cce90ae41a003964040ad1
CRs-Fixed: 2884249
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.
1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME
Bug: 182351550
Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873394
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
When parsing FILS Indication IE, the data pointer is not
validated while moving the pointer which may cause
out of bound issue.
Validate data pointer before moving pointer.
Bug: 182634675
Change-Id: Ib20f78fe58d7a4c8f9245e6b8d28212499cc6f50
CRs-Fixed: 2842475
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
During multiple BSSID scan ie parse, there is memory allocation
on new_ie variable of size 1024 which may create buffer overflow
in util_gen_new_ie() if ie length is greater than 1024.
As part of fix, allocate memory of size ie length in new_ie.
And also add check before copying to pos variable in
util_gen_new_ie().
Bug: 182634675
Change-Id: I55e0819817b5a616684067170bf28a314a145fc2
CRs-Fixed: 2867353
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add CDP interface support for flushing fragments for a
particular peer.
Bug: 182958222
Change-Id: Ic59843408037b9c858599be13727422c2e3031cd
CRs-Fixed: 2875946
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Test: manual test, vts/vts-kernel, pts/base, pts/postsubmit-long
Bug: 178761247
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: Ife589fd43ca2efe57ee5d5a2502655ae0ec87fc0
|
|
Currently, list empty checks for scan_req_q is done outside the lock.
This is causing synchronization issue during scan and SSR/vdev delete
in parallel.
To avoid this, check for scan_req_q empty inside the lock.
This change also updates the return type of
wlan_schedule_scan_start_request to QDF_STATUS, which is expected by
caller API.
Bug: 177955534
Change-Id: I8b6febdd98af7856fb047b1c9d852e4944a137b5
CRs-Fixed: 2763173
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently, vendor scan request is enqueued in the scan queue first and
then posted into the scheduler queue. Now if there is an SSR in between,
then scan request will be freed twice. Once in SSR context and again
in the caller context because scan scheduling fails due to user disabled
the scan.
To resolve this, post the scan request in scheduler queue first. Once
scan request scheduling is success, then enqueue the scan request in
scan queue. This approach can lead to a race condition like after
scheduling scan request, host may get scan response from firmware even
before the scan request is queued. To avoid this race, scan request
scheduling and enqueue should be protected by scan_req_q_lock.
Bug: 177955534
Change-Id: Ic26da0181fb9a902a8a4abb8f68d9fc668f1b3f2
CRs-Fixed: 2714495
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
During esp ie parse from beacon/probe response, the data pointer
is getting read from esp ie and it's not validate while updating
to esp params which may cause out of bound read issue.
Validate data pointer before updating to esp params.
Bug: 177576987
Change-Id: I1167b82248613cc65fcd7c70cdcfe57595de6b21
CRs-Fixed: 2842234
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
If is_bwnss_oui return true in util_scan_parse_vendor_ie,
and it will run into below logical:
scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8)
But in fact if ie->ie_len < 6, it will casue read out
of boundary issue. So add the length chekcing before
reading it
Bug: 177576987
Change-Id: I0cdf723154eb808f8062efd897f9d67d54d4573b
CRs-Fixed: 2838849
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
In function wlan_parse_wapi_ie(), len shows the remaining length
for ie content, it may cause oob issue when get uc_cipher_count
field from ie, need to add length check before get uc_cipher_count
field from ie.
Bug: 176399941
Change-Id: Ie2d65284b2a172021d00f6385253368ec7603948
CRs-Fixed: 2832873
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently, list empty checks for scan_req_q is done outside the lock.
This is causing synchronization issue during scan and SSR/vdev delete
in parallel.
To avoid this, check for scan_req_q empty inside the lock.
This change also updates the return type of
wlan_schedule_scan_start_request to QDF_STATUS, which is expected by
caller API.
Bug: 177955534
Change-Id: I8b6febdd98af7856fb047b1c9d852e4944a137b5
CRs-Fixed: 2763173
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently, vendor scan request is enqueued in the scan queue first and
then posted into the scheduler queue. Now if there is an SSR in between,
then scan request will be freed twice. Once in SSR context and again
in the caller context because scan scheduling fails due to user disabled
the scan.
To resolve this, post the scan request in scheduler queue first. Once
scan request scheduling is success, then enqueue the scan request in
scan queue. This approach can lead to a race condition like after
scheduling scan request, host may get scan response from firmware even
before the scan request is queued. To avoid this race, scan request
scheduling and enqueue should be protected by scan_req_q_lock.
Bug: 177955534
Change-Id: Ic26da0181fb9a902a8a4abb8f68d9fc668f1b3f2
CRs-Fixed: 2714495
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
During esp ie parse from beacon/probe response, the data pointer
is getting read from esp ie and it's not validate while updating
to esp params which may cause out of bound read issue.
Validate data pointer before updating to esp params.
Bug: 177576987
Change-Id: I1167b82248613cc65fcd7c70cdcfe57595de6b21
CRs-Fixed: 2842234
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
If is_bwnss_oui return true in util_scan_parse_vendor_ie,
and it will run into below logical:
scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8)
But in fact if ie->ie_len < 6, it will casue read out
of boundary issue. So add the length chekcing before
reading it
Bug: 177576987
Change-Id: I0cdf723154eb808f8062efd897f9d67d54d4573b
CRs-Fixed: 2838849
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Merge kernel from build ab/7056683
Bug: 177377122
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: I7edc25ac43c9ec492d8611c785ff4437f2391e57
|
|
In function wlan_parse_wapi_ie(), len shows the remaining length
for ie content, it may cause oob issue when get uc_cipher_count
field from ie, need to add length check before get uc_cipher_count
field from ie.
Bug: 176399941
Change-Id: Ie2d65284b2a172021d00f6385253368ec7603948
CRs-Fixed: 2832873
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
android-msm-barbet-4.19
Commits list:
bbf8dd9b qcacmn: Enable/Disable SRD support for vdev
24051346 qcacmn: Inform fw if NAN is disabled on an SRD channel
aa833f24 qcacmn: Reduce the level of logs for reg-domain
99765385 qcacmn: Add service bit support for tx and rx time in channel stats
79225337 qcacmn: Add support for wmi_ext2 service bitmap
7f0fd156 qcacmn: Update channel tx_time and rx_time to user space
f54eb717 qcacmn: Discard 5G candidates based on RSSI threshold
c68616ea qcacmn: Add length check in ndp event handler
f4801401 qcacmn: Validate NDP app info length before accessing NDP app info
Bug: 174211811
Change-Id: I62f7ca2222edb93cbf9d458bb7a74d61395f72ca
|
|
Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info
Bug: 172944461
Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 2795961
Signed-off-by: Victor Hsu <hsuvictor@google.com>
|
|
qcacld-2.0 to qcacld-3.0 propagation
Add length check to prevent the data overflow the wmi buffer. The
length in the fixed_params and TLV hdr also need check.
Bug: 172619503
Change-Id: I2bbf9f08b6c19062324dca420af08ff94835eaca
CRs-Fixed: 2248879
Signed-off-by: Victor Hsu <hsuvictor@google.com>
|
