Message ID | d4f8780527d551552ee96f17a0229e02e1c200d1.1692931954.git.gustavoars@kernel.org (mailing list archive) |
---|---|
State | Accepted |
Commit | d5a93b7d2877aae4ba7590ad6cb65f8d33079489 |
Delegated to: | Kalle Valo |
Headers | show |
Series | wifi: mwifiex: Fix tlv_buf_left calculation and replace one-element array | expand |
On Thu, Aug 24, 2023 at 09:10:45PM -0600, Gustavo A. R. Silva wrote: > Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before > decoding data from `event_buf`. > > This prevents any malicious or buggy firmware from overflowing > `event_buf` through large values for `tlv_len` and `tlv_bitmap_len`. > > Suggested-by: Dan Williams <dcbw@redhat.com> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> > --- > Changes in v2: > - Fix format specifier: %ld -> %zu > | Reported-by: kernel test robot <lkp@intel.com> > | Closes: https://lore.kernel.org/oe-kbuild-all/202308240844.leyoOwdG-lkp@intel.com/ > > - Update warning messages to explicitly mention that TLV size is > greater than tlv_buf_len. > > v1: > - Link: https://lore.kernel.org/linux-hardening/587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org/ > > .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > index 735aac52bdc4..10690e82358b 100644 > --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > @@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, > while (tlv_buf_left > sizeof(*tlv_rxba)) { > tlv_type = le16_to_cpu(tlv_rxba->header.type); > tlv_len = le16_to_cpu(tlv_rxba->header.len); > + if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) { > + mwifiex_dbg(priv->adapter, WARN, > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > + size_add(sizeof(tlv_rxba->header), tlv_len), > + tlv_buf_left); With the suggested change to make this a warning and not dbg: Reviewed-by: Kees Cook <keescook@chromium.org> Thanks! -Kees > + return; > + } > + > if (tlv_type != TLV_TYPE_RXBA_SYNC) { > mwifiex_dbg(priv->adapter, ERROR, > "Wrong TLV id=0x%x\n", tlv_type); > @@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, > > tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num); > tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len); > + if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) { > + mwifiex_dbg(priv->adapter, WARN, > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > + size_add(sizeof(*tlv_rxba), tlv_bitmap_len), > + tlv_buf_left); > + return; > + } > + > mwifiex_dbg(priv->adapter, INFO, > "%pM tid=%d seq_num=%d bitmap_len=%d\n", > tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num, > -- > 2.34.1 >
On Fri, Aug 25, 2023 at 2:10 PM Kees Cook <keescook@chromium.org> wrote: > On Thu, Aug 24, 2023 at 09:10:45PM -0600, Gustavo A. R. Silva wrote: > > + mwifiex_dbg(priv->adapter, WARN, > > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > > + size_add(sizeof(tlv_rxba->header), tlv_len), > > + tlv_buf_left); > > With the suggested change to make this a warning and not dbg: mwifiex_dbg(..., WARN, ...) *is* a warning, not a debug message. Or at least, that's how it's used throughout this driver, even though it actually yields a dev_info()-level message, regardless of the 'mask' arg: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/marvell/mwifiex/main.c?id=v6.4#n1811
On Fri, Aug 25, 2023 at 04:38:56PM -0700, Brian Norris wrote: > On Fri, Aug 25, 2023 at 2:10 PM Kees Cook <keescook@chromium.org> wrote: > > On Thu, Aug 24, 2023 at 09:10:45PM -0600, Gustavo A. R. Silva wrote: > > > + mwifiex_dbg(priv->adapter, WARN, > > > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > > > + size_add(sizeof(tlv_rxba->header), tlv_len), > > > + tlv_buf_left); > > > > With the suggested change to make this a warning and not dbg: > > mwifiex_dbg(..., WARN, ...) *is* a warning, not a debug message. Or at > least, that's how it's used throughout this driver, even though it > actually yields a dev_info()-level message, regardless of the 'mask' > arg: Oh duh. My eyes didn't get any further than "dbg". My bad! Yes, this is good as-is. :) Sorry for the noise! -Kees
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c index 735aac52bdc4..10690e82358b 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c @@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, while (tlv_buf_left > sizeof(*tlv_rxba)) { tlv_type = le16_to_cpu(tlv_rxba->header.type); tlv_len = le16_to_cpu(tlv_rxba->header.len); + if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) { + mwifiex_dbg(priv->adapter, WARN, + "TLV size (%zu) overflows event_buf buf_left=%d\n", + size_add(sizeof(tlv_rxba->header), tlv_len), + tlv_buf_left); + return; + } + if (tlv_type != TLV_TYPE_RXBA_SYNC) { mwifiex_dbg(priv->adapter, ERROR, "Wrong TLV id=0x%x\n", tlv_type); @@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num); tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len); + if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) { + mwifiex_dbg(priv->adapter, WARN, + "TLV size (%zu) overflows event_buf buf_left=%d\n", + size_add(sizeof(*tlv_rxba), tlv_bitmap_len), + tlv_buf_left); + return; + } + mwifiex_dbg(priv->adapter, INFO, "%pM tid=%d seq_num=%d bitmap_len=%d\n", tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before decoding data from `event_buf`. This prevents any malicious or buggy firmware from overflowing `event_buf` through large values for `tlv_len` and `tlv_bitmap_len`. Suggested-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- Changes in v2: - Fix format specifier: %ld -> %zu | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202308240844.leyoOwdG-lkp@intel.com/ - Update warning messages to explicitly mention that TLV size is greater than tlv_buf_len. v1: - Link: https://lore.kernel.org/linux-hardening/587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org/ .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)