From patchwork Fri Jan 12 14:42:28 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Lamparter <chunkeey@gmail.com>
X-Patchwork-Id: 10161307
Return-Path: 
 <kernel-hardening-return-11233-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A100D602B3 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri, 12 Jan 2018 16:10:39 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7DA9728A56
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri, 12 Jan 2018 16:10:39 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6F3C528A59; Fri, 12 Jan 2018 16:10:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 3ADEA28A56
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri, 12 Jan 2018 16:10:37 +0000 (UTC)
Received: (qmail 18051 invoked by uid 550); 12 Jan 2018 16:10:36 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 2020 invoked from network); 12 Jan 2018 14:42:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=x88s7hzEbU/wjKh0L+/4gjOCM4J6TocKd8xqcCm26jQ=;
	b=h3cZZFdd7P9xIFIbsmfIfDlOXbfPSKBfMQQJZBV+Tq4bqcP66KrTSqqyoPGj5j7nEt
	ASzlXskB6/eC+trier833gMn349AbZMJvE07KHb3HH37zsxA1S3fe+4HECWCtPruzwjj
	dyJR7sYFpQ6qOVDMxR+2nknJ0QT0An56bW5caFZBHWOCZCzNSa1jyVc/36TkeZGNVvKB
	RaorthRYQmeTDiVGm7eVIJ5puu1WI1kGn73nUYvOKNVkUVdHeLMueZdTjps0Stc3DqQx
	sdPzeP5U/m84m10OosEzs4O5elAS5aWsXasGLnAUihdj+AyK0SSHvgkFdSdCJ4atYNYV
	l+Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=x88s7hzEbU/wjKh0L+/4gjOCM4J6TocKd8xqcCm26jQ=;
	b=Wi+PtoMPH+/Z5zaRAIpH9THdl6JBn8XqvrfPI2a1q93jPSwLmrb6pzhpAAnexnWuB0
	qXTWRVNvntHwHWazwhL6XtDRfraMMSR69cvwg9X3gL+rKn4UxJD4NZpF0m4V9xpHNyxI
	OCtQ3E9R0Y4kebBvzvx40XR+8yjRa+eeoBESkT4AJv0GhaqYYdn3h41qfXlyhvPKe6Se
	EWFsobR/KmVAx7iyo6wKkCkSp0REJnx8hqInhTQ7YdcB/UCne6iPmFL1ospMzIH7Hj1d
	EkoeQjQlqv8V18EtoL9wRiBEbxh26fxr/MVcYIMgSgN20gHXUM1TTdJepPlkwtsoGRq6
	80Fg==
X-Gm-Message-State: AKGB3mIVT/30kkkbSBs73UsFesjwG5Ab4ix3t2lkFWoaWkiTyt2/NAje
	gGcHmD3QC3b+M1EdD1bf22+wEVCOw34=
X-Google-Smtp-Source: 
 ACJfBoueE/KRKFbC9+MsJBq4ODcAivqQwcHZefU6vD7mn71etAfLrTUZ898pEjOHFS3/l5RMSU0vWQ==
X-Received: by 10.223.174.236 with SMTP id
	y99mr15586110wrc.117.1515768150501;
	Fri, 12 Jan 2018 06:42:30 -0800 (PST)
From: Christian Lamparter <chunkeey@gmail.com>
X-Google-Original-From: Christian Lamparter <chunkeey@googlemail.com>
To: Dan Williams <dan.j.williams@intel.com>
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
	kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	Elena Reshetova <elena.reshetova@intel.com>,
	tglx@linutronix.de, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, Kalle Valo <kvalo@codeaurora.org>,
	alan@linux.intel.com
Date: Fri, 12 Jan 2018 15:42:28 +0100
Message-ID: <1648304.tjl4HeBnOe@debian64>
In-Reply-To: 
 <151571806633.27429.1504260808341642890.stgit@dwillia2-desk3.amr.corp.intel.com>
References: 
 <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com>
	<151571806633.27429.1504260808341642890.stgit@dwillia2-desk3.amr.corp.intel.com>
MIME-Version: 1.0
Subject: [kernel-hardening] Re: [PATCH v2 15/19] carl9170: prevent
	bounds-check bypass via speculative execution
X-Virus-Scanned: ClamAV using ClamSMTP

On Friday, January 12, 2018 1:47:46 AM CET Dan Williams wrote:
> Static analysis reports that 'queue' may be a user controlled value that
> is used as a data dependency to read from the 'ar9170_qmap' array. In
> order to avoid potential leaks of kernel memory values, block
> speculative execution of the instruction stream that could issue reads
> based on an invalid result of 'ar9170_qmap[queue]'. In this case the
> value of 'ar9170_qmap[queue]' is immediately reused as an index to the
> 'ar->edcf' array.
> 
> Based on an original patch by Elena Reshetova.
> 
> Cc: Christian Lamparter <chunkeey@googlemail.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
This patch (and p54, cw1200) look like the same patch?! 
Can you tell me what happend to:

On Saturday, January 6, 2018 5:34:03 PM CET Dan Williams wrote:
> On Sat, Jan 6, 2018 at 6:23 AM, Christian Lamparter <chunkeey@gmail.com> wrote:
> > And Furthermore a invalid queue (param->ac) would cause a crash in
> > this line in mac80211 before it even reaches the driver [1]:
> > |       sdata->tx_conf[params->ac] = p;
> > |                   ^^^^^^^^
> > |       if (drv_conf_tx(local, sdata, >>>> params->ac <<<<, &p)) {
> > |        ^^ (this is a wrapper for the *_op_conf_tx)
> >
> > I don't think these chin-up exercises are needed.
> 
> Quite the contrary, you've identified a better place in the call stack
> to sanitize the input and disable speculation. Then we can kill the
> whole class of the wireless driver reports at once it seems.
<https://www.spinics.net/lists/netdev/msg476353.html>

Anyway, I think there's an easy way to solve this: remove the 
"if (queue < ar->hw->queues)" check altogether. It's no longer needed
anymore as the "queue" value is validated long before the driver code
gets called. And from my understanding, this will fix the "In this case
the value of 'ar9170_qmap[queue]' is immediately reused as an index to
the 'ar->edcf' array." gripe your tool complains about.

This is here's a quick test-case for carl9170.:
---
---
What does your tool say about this? 

(If necessary, the "queue" value could be even sanitized with a
queue %= ARRAY_SIZE(ar9170_qmap); before the mutex_lock.)

diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
index 988c8857d78c..2d3afb15bb62 100644
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -1387,13 +1387,8 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,
 	int ret;
 
 	mutex_lock(&ar->mutex);
-	if (queue < ar->hw->queues) {
-		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
-		ret = carl9170_set_qos(ar);
-	} else {
-		ret = -EINVAL;
-	}
-
+	memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
+	ret = carl9170_set_qos(ar);
 	mutex_unlock(&ar->mutex);
 	return ret;
 }