From patchwork Thu Jun 11 07:43:14 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Kazior X-Patchwork-Id: 6586261 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 8A99F9F326 for ; Thu, 11 Jun 2015 07:43:46 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 67FAF20546 for ; Thu, 11 Jun 2015 07:43:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1D1A520558 for ; Thu, 11 Jun 2015 07:43:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751684AbbFKHng (ORCPT ); Thu, 11 Jun 2015 03:43:36 -0400 Received: from mail-wi0-f176.google.com ([209.85.212.176]:38357 "EHLO mail-wi0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750980AbbFKHnf (ORCPT ); Thu, 11 Jun 2015 03:43:35 -0400 Received: by wibdq8 with SMTP id dq8so1667873wib.1 for ; Thu, 11 Jun 2015 00:43:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:to:cc:subject:date:message-id; bh=5YVhup7XFULn/AAnarkCB0wxGW5cGB24tAJwVwkvd/Y=; b=Mtlh7VvOEwMTIujKElPciLjZRtxzfTZ7/PeggFCHVjJkEaGn9zEj6VI+alUV9HtsTz l5A1Y/70WxpS8LSkt2y6bDCW5Pz8XLcDZn/petwhDAKM0mh/Cfal7ZsVtyQ4GGLlO5PQ wbrGsIjr3Ltdu19o/yPc0lznjRCSAKxHubyTc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=5YVhup7XFULn/AAnarkCB0wxGW5cGB24tAJwVwkvd/Y=; b=isMCGcIwAwwBK0Z9z4czjNDw8xF8OYllR+uZVOgcC5QIC1kexTESEv+wmEw0G+3mmm r9CjDmgqkNE4n10BoGsC8TKfitI81VyUr15s7iVwHyThacuiPvdtON64BLUVOkUU/no6 u+wIM0TDVYtmTlRhzzf4PLoxmAAJ6rEq/thJchij1yRUUTRN05C8Wwq/3DAT/vhiVcUg Jg5MiJN8J05HbcjPCRhwNJx8JNEGRe8fDbbRyDUOlTQYcoLzCRzMMO7K0C7SYMHVwDcM ZkFdD474Fi1HQnHsFWT2Gu/aHBxk0FrrzhzHbiXSt6swMEh33GJGtNRhd+xLoPapOuj3 6PMA== X-Gm-Message-State: ALoCoQktC48fmjxiO4wL4r1IngJs2S17Wppm/o8YH4GWHFmb5y2LRzkwtbou3zTbSqiAGzV/ZoOl7Hp6hi4DirexRiB/WldXGmKjSDQCbm6SVbBzyHo8BbSiAmeH35UbersApARcrm/e X-Received: by 10.194.63.16 with SMTP id c16mr14053200wjs.105.1434008613883; Thu, 11 Jun 2015 00:43:33 -0700 (PDT) Received: from localhost.localdomain ([91.198.246.8]) by mx.google.com with ESMTPSA id q2sm18043892wjz.15.2015.06.11.00.43.31 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 11 Jun 2015 00:43:32 -0700 (PDT) From: Michal Kazior To: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org, Michal Kazior Subject: [PATCH] ath10k: prevent debugfs mmio access crash kernel Date: Thu, 11 Jun 2015 09:43:14 +0200 Message-Id: <1434008594-6726-1-git-send-email-michal.kazior@tieto.com> X-Mailer: git-send-email 2.1.4 X-DomainID: tieto.com Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP It was possible to force an out of bounds MMIO read/write via debugfs. E.g. on QCA988X this could be triggered with: echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value BUG: unable to handle kernel paging request at ffffc90001e080e0 IP: [] ioread32+0x40/0x50 ... Call Trace: [] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci] [] ath10k_reg_value_read+0x90/0xf0 [ath10k_core] [] ? handle_mm_fault+0xa91/0x1050 [] __vfs_read+0x28/0xe0 [] ? security_file_permission+0x84/0xa0 [] ? rw_verify_area+0x53/0x100 [] vfs_read+0x8a/0x140 [] SyS_read+0x49/0xb0 [] ? trace_do_page_fault+0x3c/0xc0 [] system_call_fastpath+0x12/0x71 Reported-by: Ben Greear Signed-off-by: Michal Kazior --- drivers/net/wireless/ath/ath10k/pci.c | 13 +++++++++++++ drivers/net/wireless/ath/ath10k/pci.h | 1 + 2 files changed, 14 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 9da36c764d3b..1843d31fbda7 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -479,6 +479,12 @@ void ath10k_pci_write32(struct ath10k *ar, u32 offset, u32 value) struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); int ret; + if (unlikely(offset + sizeof(value) > ar_pci->mem_len)) { + ath10k_warn(ar, "refusing to write mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n", + offset, offset + sizeof(value), ar_pci->mem_len); + return; + } + ret = ath10k_pci_wake(ar); if (ret) { ath10k_warn(ar, "failed to wake target for write32 of 0x%08x at 0x%08x: %d\n", @@ -496,6 +502,12 @@ u32 ath10k_pci_read32(struct ath10k *ar, u32 offset) u32 val; int ret; + if (unlikely(offset + sizeof(val) > ar_pci->mem_len)) { + ath10k_warn(ar, "refusing to read mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n", + offset, offset + sizeof(val), ar_pci->mem_len); + return 0; + } + ret = ath10k_pci_wake(ar); if (ret) { ath10k_warn(ar, "failed to wake target for read32 at 0x%08x: %d\n", @@ -2682,6 +2694,7 @@ static int ath10k_pci_claim(struct ath10k *ar) pci_set_master(pdev); /* Arrange for access to Target SoC registers. */ + ar_pci->mem_len = pci_resource_len(pdev, BAR_NUM); ar_pci->mem = pci_iomap(pdev, BAR_NUM, 0); if (!ar_pci->mem) { ath10k_err(ar, "failed to iomap BAR%d\n", BAR_NUM); diff --git a/drivers/net/wireless/ath/ath10k/pci.h b/drivers/net/wireless/ath/ath10k/pci.h index d7696ddc03c4..eea0a0170b00 100644 --- a/drivers/net/wireless/ath/ath10k/pci.h +++ b/drivers/net/wireless/ath/ath10k/pci.h @@ -162,6 +162,7 @@ struct ath10k_pci { struct device *dev; struct ath10k *ar; void __iomem *mem; + size_t mem_len; /* * Number of MSI interrupts granted, 0 --> using legacy PCI line