wifi: iwlwifi: acpi: check the size of the ACPI PPAG tables

We need to make sure we don't have a buffer overflow while reading the
PPAG tables from ACPI into the firmware runtime object.
Add an ACPI specific define for the number of chains in order to
decouple the ACPI layout from the other objects.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260319110722.451808698662.I91234c8a662608674679ce490b51be792332cd43@changeid

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
index d00191e84f202b25cccf2ceb2b47086eb7e94149..de30799519cdfde9bc83f64ae358528215e659bb 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
@@ -951,6 +951,15 @@ int iwl_acpi_get_ppag_table(struct iwl_fw_runtime *fwrt)
        goto out_free;
 
 read_table:
+       if (WARN_ON_ONCE(num_sub_bands >
+                        ARRAY_SIZE(fwrt->ppag_chains[0].subbands))) {
+               ret = -EINVAL;
+               goto out_free;
+       }
+
+       BUILD_BUG_ON(ACPI_PPAG_NUM_CHAINS >
+                    ARRAY_SIZE(fwrt->ppag_chains));
+
        fwrt->ppag_bios_rev = tbl_rev;
        flags = &wifi_pkg->package.elements[1];
 
@@ -967,7 +976,7 @@ read_table:
         * first sub-band (j=0) corresponds to Low-Band (2.4GHz), and the
         * following sub-bands to High-Band (5GHz).
         */
-       for (i = 0; i < IWL_NUM_CHAIN_LIMITS; i++) {
+       for (i = 0; i < ACPI_PPAG_NUM_CHAINS; i++) {
                for (j = 0; j < num_sub_bands; j++) {
                        union acpi_object *ent;
 

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.h b/drivers/net/wireless/intel/iwlwifi/fw/acpi.h
index 06cece4ea6d95ef514d226e823134d5ac9f848bf..c34dc17ff608b4783d8d2b4540aebfeef7c9d876 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.h
@@ -96,9 +96,10 @@
  */
 #define ACPI_WTAS_WIFI_DATA_SIZE       (3 + IWL_WTAS_BLACK_LIST_MAX)
 
-#define ACPI_PPAG_WIFI_DATA_SIZE_V1    ((IWL_NUM_CHAIN_LIMITS * \
+#define ACPI_PPAG_NUM_CHAINS           2
+#define ACPI_PPAG_WIFI_DATA_SIZE_V1    ((ACPI_PPAG_NUM_CHAINS * \
                                          IWL_NUM_SUB_BANDS_V1) + 2)
-#define ACPI_PPAG_WIFI_DATA_SIZE_V2    ((IWL_NUM_CHAIN_LIMITS * \
+#define ACPI_PPAG_WIFI_DATA_SIZE_V2    ((ACPI_PPAG_NUM_CHAINS * \
                                          IWL_NUM_SUB_BANDS_V2) + 2)
 
 #define IWL_SAR_ENABLE_MSK             BIT(0)