diff mbox series

[v2] rtlwifi: Fix potential overflow on P2P code

Message ID 20191018114321.13131-1-labbott@redhat.com (mailing list archive)
State Accepted
Commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1
Delegated to: Kalle Valo
Headers show
Series [v2] rtlwifi: Fix potential overflow on P2P code | expand

Commit Message

Laura Abbott Oct. 18, 2019, 11:43 a.m. UTC
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.

Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
 drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Ping-Ke Shih Oct. 18, 2019, 12:35 p.m. UTC | #1
On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
> 
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>

Acked-by: Ping-Ke Shih <pkshih@realtek.com>
and Please CC to stable
Cc: Stable <stable@vger.kernel.org> # 4.4+

---

Hi Kalle,

This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?

Thanks
PK


> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;
> +
>  			}
>  			noa_index = ie[3];
>  			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;
> +
>  			}
>  			noa_index = ie[3];
>  			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
Kalle Valo Oct. 19, 2019, 10:51 a.m. UTC | #2
Laura Abbott <labbott@redhat.com> writes:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;
> +
>  			}
>  			noa_index = ie[3];
>  			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;

IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.
Kalle Valo Oct. 19, 2019, 10:57 a.m. UTC | #3
Pkshih <pkshih@realtek.com> writes:

> On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>> 
>> Reported-by: Nicolas Waisman <nico@semmle.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
> and Please CC to stable
> Cc: Stable <stable@vger.kernel.org> # 4.4+
>
> ---
>
> Hi Kalle,
>
> This bug was existing since v3.10, and directory of wireless drivers were
> moved at v4.4. Do I need send another patch to fix this issue for longterm
> kernel v3.16.75?

Yeah, I think you need to send a separate patch to the stable list
(after this commit is in Linus' tree).
Laura Abbott Oct. 19, 2019, 7:02 p.m. UTC | #4
On 10/19/19 6:51 AM, Kalle Valo wrote:
> Laura Abbott <labbott@redhat.com> writes:
> 
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>>
>> Reported-by: Nicolas Waisman <nico@semmle.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>> ---
>>   drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> index 70f04c2f5b17..fff8dda14023 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>>   				return;
>>   			} else {
>>   				noa_num = (noa_len - 2) / 13;
>> +				if (noa_num > P2P_MAX_NOA_NUM)
>> +					noa_num = P2P_MAX_NOA_NUM;
>> +
>>   			}
>>   			noa_index = ie[3];
>>   			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>>   				return;
>>   			} else {
>>   				noa_num = (noa_len - 2) / 13;
>> +				if (noa_num > P2P_MAX_NOA_NUM)
>> +					noa_num = P2P_MAX_NOA_NUM;
> 
> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
> you.
> 

I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.

Thanks,
Laura
Kalle Valo Oct. 20, 2019, 6:18 a.m. UTC | #5
Laura Abbott <labbott@redhat.com> writes:

> On 10/19/19 6:51 AM, Kalle Valo wrote:
>> Laura Abbott <labbott@redhat.com> writes:
>>
>>> Nicolas Waisman noticed that even though noa_len is checked for
>>> a compatible length it's still possible to overrun the buffers
>>> of p2pinfo since there's no check on the upper bound of noa_num.
>>> Bound noa_num against P2P_MAX_NOA_NUM.
>>>
>>> Reported-by: Nicolas Waisman <nico@semmle.com>
>>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>>> ---
>>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>>> ---
>>>   drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>>>   1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> index 70f04c2f5b17..fff8dda14023 100644
>>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>>>   				return;
>>>   			} else {
>>>   				noa_num = (noa_len - 2) / 13;
>>> +				if (noa_num > P2P_MAX_NOA_NUM)
>>> +					noa_num = P2P_MAX_NOA_NUM;
>>> +
>>>   			}
>>>   			noa_index = ie[3];
>>>   			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>>>   				return;
>>>   			} else {
>>>   				noa_num = (noa_len - 2) / 13;
>>> +				if (noa_num > P2P_MAX_NOA_NUM)
>>> +					noa_num = P2P_MAX_NOA_NUM;
>>
>> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
>> you.
>>
>
> I believe the intention is to re-write this anyway so I'd prefer to
> just get this in given the uptick this issue seems to have gotten.

Ok, I'll queue this to v5.4.
Kalle Valo Oct. 23, 2019, 10:31 a.m. UTC | #6
Laura Abbott <labbott@redhat.com> wrote:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
> 
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>

Patch applied to wireless-drivers.git, thanks.

8c55dedb795b rtlwifi: Fix potential overflow on P2P code
diff mbox series

Patch

diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@  static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
+
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@  static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
+
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==