From 0592b04b06ec20db4c436ddb85731a26c9d4da9e Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: May 25 2023 07:19:34 +0000
Subject: wifi: iwlwifi: pcie: Fix integer overflow in

iwl_write_to_user_buf (git-fixes).

---

diff --git a/patches.suse/wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_write_.patch b/patches.suse/wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_write_.patch
new file mode 100644
index 0000000..0dc54c8
--- /dev/null
+++ b/patches.suse/wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_write_.patch
@@ -0,0 +1,56 @@
+From 58d1b717879bfeabe09b35e41ad667c79933eb2e Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Fri, 14 Apr 2023 13:11:59 +0300
+Subject: [PATCH] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
+Git-commit: 58d1b717879bfeabe09b35e41ad667c79933eb2e
+Patch-mainline: v6.4-rc1
+References: git-fixes
+
+An integer overflow occurs in the iwl_write_to_user_buf() function,
+which is called by the iwl_dbgfs_monitor_data_read() function.
+
+static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
+				  void *buf, ssize_t *size,
+				  ssize_t *bytes_copied)
+{
+	int buf_size_left = count - *bytes_copied;
+
+	buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
+	if (*size > buf_size_left)
+		*size = buf_size_left;
+
+If the user passes a SIZE_MAX value to the "ssize_t count" parameter,
+the ssize_t count parameter is assigned to "int buf_size_left".
+Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a
+negative number, so "*size" is assigned "buf_size_left" and goes into
+the third argument of the copy_to_user function, causing a heap overflow.
+
+This is not a security vulnerability because iwl_dbgfs_monitor_data_read()
+is a debugfs operation with 0400 privileges.
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 40283fe622da..1b32a4035d88 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -2860,7 +2860,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
+ 				  void *buf, ssize_t *size,
+ 				  ssize_t *bytes_copied)
+ {
+-	int buf_size_left = count - *bytes_copied;
++	ssize_t buf_size_left = count - *bytes_copied;
+ 
+ 	buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
+ 	if (*size > buf_size_left)
+-- 
+2.35.3
+
diff --git a/series.conf b/series.conf
index b4fbc65..830b7bf 100644
--- a/series.conf
+++ b/series.conf
@@ -19937,6 +19937,7 @@
 	patches.suse/wifi-iwlwifi-yoyo-Fix-possible-division-by-zero.patch
 	patches.suse/wifi-iwlwifi-mvm-initialize-seq-variable.patch
 	patches.suse/wifi-iwlwifi-fw-move-memset-before-early-return.patch
+	patches.suse/wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_write_.patch
 	patches.suse/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch
 	patches.suse/wifi-iwlwifi-mvm-check-firmware-response-size.patch
 	patches.suse/wifi-iwlwifi-fw-fix-memory-leak-in-debugfs.patch