| Message ID | 20200527184830.GA1164846@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 11e7a91994c29da96d847f676be023da6a2c1359 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [v3] airo: Fix read overflows sending packets | expand |
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.6.14, v5.4.42, v4.19.124, v4.14.181, v4.9.224, v4.4.224.
v5.6.14: Build OK!
v5.4.42: Build OK!
v4.19.124: Build OK!
v4.14.181: Build OK!
v4.9.224: Build OK!
v4.4.224: Failed to apply! Possible dependencies:
Unable to calculate
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
On Wed, May 27, 2020 at 11:48 AM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from > skb->data even when skb->len is less than ETH_ZLEN so it leads to a read > overflow. > > The fix is to pad skb->data to at least ETH_ZLEN bytes. > > Cc: <stable@vger.kernel.org> > Reported-by: Hu Jiahui <kirin.say@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: remove an unnecessary if statement > increment the ->tx_dropped count on failure > fix found two more instances of the same bug. > fix typo in the "Cc: <stable@vger.kernel.org>" tag > v3: I had thought that skb_padto() updated skb->len so that it would > always be more than ETH_ZLEN meaning that we could delete the checks > for smaller values: "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;" > But I was wrong and those are still required. > > drivers/net/wireless/cisco/airo.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > Reviewed-by: Eric Dumazet <edumazet@google.com>
Dan Carpenter <dan.carpenter@oracle.com> wrote: > The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from > skb->data even when skb->len is less than ETH_ZLEN so it leads to a read > overflow. > > The fix is to pad skb->data to at least ETH_ZLEN bytes. > > Cc: <stable@vger.kernel.org> > Reported-by: Hu Jiahui <kirin.say@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Reviewed-by: Eric Dumazet <edumazet@google.com> Patch applied to wireless-drivers-next.git, thanks. 11e7a91994c2 airo: Fix read overflows sending packets
diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c index 8363f91df7ea7..827bb6d74815a 100644 --- a/drivers/net/wireless/cisco/airo.c +++ b/drivers/net/wireless/cisco/airo.c @@ -1925,6 +1925,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!",__func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } npacks = skb_queue_len (&ai->txq); if (npacks >= MAXTXQ - 1) { @@ -2127,6 +2131,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!", __func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } /* Find a vacant FID */ for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ ); @@ -2201,6 +2209,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!", __func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } /* Find a vacant FID */ for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from skb->data even when skb->len is less than ETH_ZLEN so it leads to a read overflow. The fix is to pad skb->data to at least ETH_ZLEN bytes. Cc: <stable@vger.kernel.org> Reported-by: Hu Jiahui <kirin.say@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: remove an unnecessary if statement increment the ->tx_dropped count on failure fix found two more instances of the same bug. fix typo in the "Cc: <stable@vger.kernel.org>" tag v3: I had thought that skb_padto() updated skb->len so that it would always be more than ETH_ZLEN meaning that we could delete the checks for smaller values: "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;" But I was wrong and those are still required. drivers/net/wireless/cisco/airo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)