soc/google/cpif: Fix OOB write in rx_pktproc The fore pointer is passed by CP using shared memory. Without an OOB check for this, we risk an OOB access if the CP firmware gets compromised. Bug: 321941700 Change-Id: I744d58fc54bfa5ac75575ba0921e269766d8a1c7 Signed-off-by: Mahesh Kallelil <kallelil@google.com>

commit: ff9c5a7cd59d14e78e8016010a272189cdfe01e0 [log] [tgz]
author: Mahesh Kallelil <kallelil@google.com> Mon Mar 04 11:07:37 2024 -0800
committer: Mahesh Kallelil <kallelil@google.com> Tue Mar 05 22:12:37 2024 +0000
tree: 627a1a63c20f8d86e55ef8403be36775f1314db9
parent: 5b865ae2443f8367220cc9e3cf2c8e3dd9e02743 [diff]
diff --git a/drivers/soc/google/cpif/link_rx_pktproc.c b/drivers/soc/google/cpif/link_rx_pktproc.c
index 8768b71..db5e736 100644
--- a/drivers/soc/google/cpif/link_rx_pktproc.c
+++ b/drivers/soc/google/cpif/link_rx_pktproc.c

@@ -414,6 +414,14 @@
 	fore = *q->fore_ptr;
 #endif
 
+	/* The fore pointer is passed by CP from shared memory. Check the
+	 * range to avoid OOB access */
+	if ((fore < 0) || (fore >= q->num_desc)) {
+		mif_err("Invalid fore_ptr (%d) passed by CP on queue(%d)!\n",
+			fore, q->q_idx);
+		return -EINVAL;
+	}
+
 	pp_debug("Q%d:%d/%d/%d\n",
 			q->q_idx, fore, *q->rear_ptr, q->done_ptr);
commit	ff9c5a7cd59d14e78e8016010a272189cdfe01e0	[log] [tgz]
author	Mahesh Kallelil <kallelil@google.com>	Mon Mar 04 11:07:37 2024 -0800
committer	Mahesh Kallelil <kallelil@google.com>	Tue Mar 05 22:12:37 2024 +0000
tree	627a1a63c20f8d86e55ef8403be36775f1314db9
parent	5b865ae2443f8367220cc9e3cf2c8e3dd9e02743 [diff]