From feb27e5abb72fe8fc0a4e6e672374f4f1cd46ecc Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach Date: Thu, 19 Mar 2026 11:09:26 +0200 Subject: [PATCH] wifi: iwlwifi: acpi: check the size of the ACPI PPAG tables We need to make sure we don't have a buffer overflow while reading the PPAG tables from ACPI into the firmware runtime object. Add an ACPI specific define for the number of chains in order to decouple the ACPI layout from the other objects. Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20260319110722.451808698662.I91234c8a662608674679ce490b51be792332cd43@changeid --- drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 11 ++++++++++- drivers/net/wireless/intel/iwlwifi/fw/acpi.h | 5 +++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c index d00191e84f202..de30799519cdf 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c @@ -951,6 +951,15 @@ int iwl_acpi_get_ppag_table(struct iwl_fw_runtime *fwrt) goto out_free; read_table: + if (WARN_ON_ONCE(num_sub_bands > + ARRAY_SIZE(fwrt->ppag_chains[0].subbands))) { + ret = -EINVAL; + goto out_free; + } + + BUILD_BUG_ON(ACPI_PPAG_NUM_CHAINS > + ARRAY_SIZE(fwrt->ppag_chains)); + fwrt->ppag_bios_rev = tbl_rev; flags = &wifi_pkg->package.elements[1]; @@ -967,7 +976,7 @@ read_table: * first sub-band (j=0) corresponds to Low-Band (2.4GHz), and the * following sub-bands to High-Band (5GHz). */ - for (i = 0; i < IWL_NUM_CHAIN_LIMITS; i++) { + for (i = 0; i < ACPI_PPAG_NUM_CHAINS; i++) { for (j = 0; j < num_sub_bands; j++) { union acpi_object *ent; diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.h b/drivers/net/wireless/intel/iwlwifi/fw/acpi.h index 06cece4ea6d95..c34dc17ff608b 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.h +++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.h @@ -96,9 +96,10 @@ */ #define ACPI_WTAS_WIFI_DATA_SIZE (3 + IWL_WTAS_BLACK_LIST_MAX) -#define ACPI_PPAG_WIFI_DATA_SIZE_V1 ((IWL_NUM_CHAIN_LIMITS * \ +#define ACPI_PPAG_NUM_CHAINS 2 +#define ACPI_PPAG_WIFI_DATA_SIZE_V1 ((ACPI_PPAG_NUM_CHAINS * \ IWL_NUM_SUB_BANDS_V1) + 2) -#define ACPI_PPAG_WIFI_DATA_SIZE_V2 ((IWL_NUM_CHAIN_LIMITS * \ +#define ACPI_PPAG_WIFI_DATA_SIZE_V2 ((ACPI_PPAG_NUM_CHAINS * \ IWL_NUM_SUB_BANDS_V2) + 2) #define IWL_SAR_ENABLE_MSK BIT(0) -- 2.47.3