From patchwork Tue Jun 23 22:11:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zekun Shen X-Patchwork-Id: 11621901 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4E56D618 for ; Tue, 23 Jun 2020 22:11:58 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 251D520724 for ; Tue, 23 Jun 2020 22:11:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="1Jw7bN6e"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O87y6dWV" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 251D520724 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=wrgxJrgKYsgM6uKSC1aRfs2vU89hqFhW2jdbLgJVkZs=; b=1Jw7bN6e1NLS3F5atHOH94Vluc jugrQWEVTqxLphHxPF5gN4awQQeJGcu1MXAbMj5ATzB98ciCzpCX/gtqrJA7LEwrjwaNApxm/Z4qV /1RBE+5vrXK4UQ3zIulzBZPjLzniqJikLpHWMYl8MA49wugDdRKS1uvYdZm0vONpLtYYz4oHc8Hnr bOBTDgyjiSsVQ/q3U4b9XOSEr64oEXwJcKzo4tX6ji4jML8WQhs5oncbkurooJpGuWgzbBsfe9Tm0 2fv7XUn+WaAvgUL8TVMWmsfsIf6mmXJ3dixRqFUUY21sVtJRAD8mCAbFcEwySXlUtlCn0mMgkOwF6 PEL5I/Fg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jnr8P-0007tu-PA; Tue, 23 Jun 2020 22:11:17 +0000 Received: from mail-qt1-x842.google.com ([2607:f8b0:4864:20::842]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jnr8N-0007sw-DL for ath10k@lists.infradead.org; Tue, 23 Jun 2020 22:11:16 +0000 Received: by mail-qt1-x842.google.com with SMTP id j10so114125qtq.11 for ; Tue, 23 Jun 2020 15:11:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=yz11ciyHBUyfQdsgqu8iMb/6aua6PZ+Q9S5NKvvlTbE=; b=O87y6dWV1bPYh1LE87O3QzQm66UbzFCYARgqz4cN6sph6Vg91tcBeNs+4gYKKSSYYR H/NrDtgVRafpykjTWfnNK1y8ZaeqdAvXeHl2v3dUPUWHv6HX0JAOWKZHOk9xvYdeU7cb ieuOr7x/flNBFqW3hGpbDphUPM1RQMHQ67kYxUSNhghEVqGyR6WMphmfa3GclfRDBVFe fwIqnuzlK0XWoLBWHd9i4G1PP94+HljznwWJvdVyzZA25rrZjzZULUvQRbZFhR4U6pz8 BCY9PhjP7eNzFSosL+Y0m03Qzq+Sy1+OGAfn4jneoU7HtkONsI0wJPw7lqC4mRrayrkY Vd7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=yz11ciyHBUyfQdsgqu8iMb/6aua6PZ+Q9S5NKvvlTbE=; b=Kiy4L+J4BPnZYGlaMDxOgZTEwwi34Iopd6KfvML9oqBbWemR40WpJUmhBg9arW6RWf 2UpI3NsPvNomJPOqsh+1KdkNCpINlC3UGPL9yA8X/KpROMMLXlSLVdHV/VXWozhmpmyO IHUmFBAlza/NYc23ycMy5FcqZKeHAEj/4Zuo5lbEUPiiPJ9hAKDtwhPEFPResJD7MH/D TtSv2GLG+3YP1pnOfz3S2See74iNxlkPbixt3lgJItK0djDlrWMhyuEZDHhqqDnmnzUV QstarTh+XnLzB4DMhRjNerNmAGoHa0gSh9O4ql54Pgll24oUgdAuI0l2owL2MLrTX79x 8Z/g== X-Gm-Message-State: AOAM530W4Er7uHdStNh8UC593VIO0lNfDQA8DfB+Y9GIMXw2hZ3d/a+9 qfA/oom/jQQyLveoIBhuhK8ma2S/emvrMQ== X-Google-Smtp-Source: ABdhPJzXR2d0Y1jwkxVKARZz1HePUifurRj2yiAIpH9ks1hX2QFgQTL8nJ3mmI6wKmlJ08KCbN6FUg== X-Received: by 2002:aed:33c5:: with SMTP id v63mr23901443qtd.104.1592950271349; Tue, 23 Jun 2020 15:11:11 -0700 (PDT) Received: from buszk-y710.fios-router.home (pool-108-54-206-188.nycmny.fios.verizon.net. [108.54.206.188]) by smtp.googlemail.com with ESMTPSA id b53sm1866464qtc.65.2020.06.23.15.11.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2020 15:11:10 -0700 (PDT) From: Zekun Shen To: Subject: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n Date: Tue, 23 Jun 2020 18:11:05 -0400 Message-Id: <20200623221105.3486-1-bruceshenzk@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:842 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [bruceshenzk[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: security@kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, ath10k@lists.infradead.org, Zekun Shen , Jakub Kicinski , "David S. Miller" , Kalle Valo MIME-Version: 1.0 Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org The idx in __ath10k_htt_rx_ring_fill_n function lives in consistent dma region writable by the device. Malfunctional or malicious device could manipulate such idx to have a OOB write. Either by htt->rx_ring.netbufs_ring[idx] = skb; or by ath10k_htt_set_paddrs_ring(htt, paddr, idx); The idx can also be negative as it's signed, giving a large memory space to write to. It's possibly exploitable by corruptting a legit pointer with a skb pointer. And then fill skb with payload as rougue object. Signed-off-by: Zekun Shen --- Part of the log here. Sometimes it appears as UAF when writing to a freed memory by chance. [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 [ 15.595483] #PF: supervisor write access in kernel mode [ 15.596250] #PF: error_code(0x0002) - not-present page [ 15.597013] PGD 0 P4D 0 [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index d787cbead..4e411b33a 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -142,6 +142,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num) BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2); idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr); + + if (idx < 0 || idx >= htt->rx_ring.size) { + ath10k_err(htt->ar, "idx OOB, firmware malfunctioning?\n"); + idx &= htt->rx_ring.size_mask; + ret = -ENOMEM; + goto fail; + } + while (num > 0) { skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN); if (!skb) {