From patchwork Mon Nov 21 13:29:09 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tobias Regnery <tobias.regnery@gmail.com>
X-Patchwork-Id: 9439423
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6B0BF606DB for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 21 Nov 2016 13:29:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D0FB281A7
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 21 Nov 2016 13:29:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4F680288D0; Mon, 21 Nov 2016 13:29:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E7CB9281A7
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 21 Nov 2016 13:29:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754621AbcKUN3d (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 21 Nov 2016 08:29:33 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:34513 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754561AbcKUN3b (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Mon, 21 Nov 2016 08:29:31 -0500
Received: by mail-wm0-f67.google.com with SMTP id g23so2017580wme.1
	for <linux-wireless@vger.kernel.org>;
	Mon, 21 Nov 2016 05:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=z10hEYXVYuC9x8stAPz8gUlG593jrHKrSTGubBYCa2I=;
	b=LQXIn3QZkIBmVak+jzMSvlSYuPIwNraiu+xzIoI1GzwZkCWWHsa2fnF2RUcvag3v9J
	+F47KW980nvq96f1IbKAfeoeGWTotxT8hwOCfCnfGKtMTX2XDyb3yzTyUh3CBjNMNEnK
	uKIvmohgwlWMgVr6ZaiSo1MRSCo7W8EYq1IWJiyVYZ6Kw7+LG/YDbuXufWiXz7xZoUqM
	1JoGe0TritGfjwsQ1GD5KHNRzdzvi80hVCJe7fP0Q7t9Wwz7tXnxNGLfinjHbstRF25J
	ofn1LS9hxfMmG0PyLzV7jwQo6NOHqIJd6wznuUhkEMeQsguZq/5/grFl7Sj94JduoqfY
	5y4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=z10hEYXVYuC9x8stAPz8gUlG593jrHKrSTGubBYCa2I=;
	b=fKxjNfqj2ANWcgiPto0iuUUHOdXW/xtLHExis+Gyj4MXiWdv/ngwjuWS8L4Irk8Of/
	pwjJK7Ouy4GyVV6f8Xg36TPFhsgZb9IAJji9nYBafKIdSAbpl8s6jVGcwaD8Wv7qh/JL
	5Wyk8ec1PZdfPFhLk4gkCKbCc3uyAUVpq+ytctSbTr53P0V0GuPbXLb7KqcL9KozFTzQ
	kxzS7igtmtOrZ4viFigcuuWqCxeACFDgAjxZt3BkjHXZrcrAQCaJMqevjZSvQRK/OarV
	HiUWCen7z7AtHHwsCnOaCb9QnqkDcokBlJ5yg6snvwYs2Jrnhym62w62lMdwIdz70q7n
	xUEg==
X-Gm-Message-State: 
 AKaTC034ZB03Y+55kVYNQqRBQgC0Qd2wtfBhtEY9Z/tH3+3csKyUElf9VeoD2H9lJFmY3g==
X-Received: by 10.194.112.196 with SMTP id is4mr10894662wjb.92.1479734969505;
	Mon, 21 Nov 2016 05:29:29 -0800 (PST)
Received: from localhost.localdomain ([83.243.48.53])
	by smtp.gmail.com with ESMTPSA id
	cl6sm17739461wjc.10.2016.11.21.05.29.28
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 21 Nov 2016 05:29:28 -0800 (PST)
From: Tobias Regnery <tobias.regnery@gmail.com>
To: linux-wireless@vger.kernel.org, kvalo@codeaurora.org,
	arend.vanspriel@broadcom.com, franky.lin@broadcom.com,
	hante.meuleman@broadcom.com, brcm80211-dev-list.pdl@broadcom.com
Cc: Tobias Regnery <tobias.regnery@gmail.com>
Subject: [PATCH] brcmsmac: fix array out-of-bounds access in qm_log10
Date: Mon, 21 Nov 2016 14:29:09 +0100
Message-Id: <1479734949-6300-1-git-send-email-tobias.regnery@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

I get the following UBSAN warning during boot on my laptop:

================================================================================
UBSAN: Undefined behaviour in drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:280:21
index 32 is out of range for type 's16 [32]'
CPU: 0 PID: 879 Comm: NetworkManager Not tainted 4.9.0-rc4 #28
Hardware name: LENOVO Lenovo IdeaPad N581/INVALID, BIOS 5ECN96WW(V9.01) 03/14/2013
ffff8800b74a6478 ffffffff828e59d2 0000000041b58ab3 ffffffff8398330c
ffffffff828e5920 ffff8800b74a64a0 ffff8800b74a6450 0000000000000020
1ffffffff845848c ffffed0016e94bf1 ffffffffc22c2460 000000006b9c0514
Call Trace:
[<ffffffff828e59d2>] dump_stack+0xb2/0x110
[<ffffffff828e5920>] ? _atomic_dec_and_lock+0x150/0x150
[<ffffffff82968c9d>] ubsan_epilogue+0xd/0x4e
[<ffffffff82969875>] __ubsan_handle_out_of_bounds+0xfa/0x13e
[<ffffffff8296977b>] ? __ubsan_handle_shift_out_of_bounds+0x241/0x241
[<ffffffffc0d48379>] ? bcma_host_pci_read16+0x59/0xa0 [bcma]
[<ffffffffc0d48388>] ? bcma_host_pci_read16+0x68/0xa0 [bcma]
[<ffffffffc212ad78>] ? read_phy_reg+0xe8/0x180 [brcmsmac]
[<ffffffffc2184714>] qm_log10+0x2e4/0x350 [brcmsmac]
[<ffffffffc2142eb8>] wlc_phy_init_lcnphy+0x538/0x1f20 [brcmsmac]
[<ffffffffc2142980>] ? wlc_lcnphy_periodic_cal+0x5c0/0x5c0 [brcmsmac]
[<ffffffffc1ba0c93>] ? ieee80211_open+0xb3/0x110 [mac80211]
[<ffffffff82f73a02>] ? sk_busy_loop+0x1e2/0x840
[<ffffffff82f7a6ce>] ? __dev_change_flags+0xae/0x220
...

The report is valid: doing the math in this function, with an input value
N=63 the variable s16tableIndex gets a value of 31. This value is used as
an index in the array log_table with 32 entries. But the next line is:

	s16errorApproximation = (s16) qm_mulu16(u16offset,
				(u16) (log_table[s16tableIndex + 1] -
				       log_table[s16tableIndex]));

With s16tableIndex + 1 we are trying an out-of-bounds access to the array.

The log_table array provides log2 values in q.15 format and the above
statement tries an error approximation with the next value. To fix this
issue add the next value to the array and update the comment accordingly.

Signed-off-by: Tobias Regnery <tobias.regnery@gmail.com>
---
I am not that familiar with wireless drivers and thus don't know if this
is the right way to fix the issue. But the UBSAN warning goes away with
this patch and I don't see a regression with my wireless adapter afterwards.

As far as I can tell, this bug is present since the introduction of the
driver in mainline.
---
 drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c
index faf1ebe76068..b9672da24a9d 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c
@@ -179,7 +179,7 @@ s16 qm_norm32(s32 op)
 	return u16extraSignBits;
 }
 
-/* This table is log2(1+(i/32)) where i=[0:1:31], in q.15 format */
+/* This table is log2(1+(i/32)) where i=[0:1:32], in q.15 format */
 static const s16 log_table[] = {
 	0,
 	1455,
@@ -212,7 +212,8 @@ static const s16 log_table[] = {
 	29717,
 	30498,
 	31267,
-	32024
+	32024,
+	32768
 };
 
 #define LOG_TABLE_SIZE 32       /* log_table size */