lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 05 Jun 2009 16:04:40 +0200
From:	Felix Fietkau <nbd@...nwrt.org>
To:	Bob Copeland <me@...copeland.com>
CC:	linville@...driver.com, linux-wireless@...r.kernel.org,
	linux-kernel@...r.kernel.org, rathamahata@...il.com,
	ognjen.maric@...il.com, rjw@...k.pl, stable@...nel.org
Subject: Re: [PATCH] mac80211: fix minstrel single-rate memory corruption

Bob Copeland wrote:
> The minstrel rate controller periodically looks up rate indexes in
> a sampling table.  When accessing a specific row and column, minstrel
> correctly does a bounds check which, on the surface, appears to handle
> the case where mi->n_rates < 2.  However, mi->sample_idx is actually
> defined as an unsigned, so the right hand side is taken to be a huge
> positive number when negative, and the check will always fail.
> 
> Consequently, the RC will overrun the array and cause random memory
> corruption when communicating with a peer that has only a single rate.
> The max value of mi->sample_idx is around 25 so casting to int should
> have no ill effects.
> 
> Without the change, uptime is a few minutes under load with an AP
> that has a single hard-coded rate, and both the AP and STA could
> potentially crash.  With the change, both lasted 12 hours with a
> steady load.
> 
> Thanks to Ognjen Maric for providing the single-rate clue so I could
> reproduce this.
> 
> This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the
> regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000).
> 
> Cc: stable@...nel.org
> Reported-by: Sergey S. Kostyliov <rathamahata@...il.com>
> Reported-by: Ognjen Maric <ognjen.maric@...il.com>
> Signed-off-by: Bob Copeland <me@...copeland.com>
> ---
> 
> John & Felix, the patch itself may be too subtle so feel free to do it a
> different way.  However this is as minimal as it gets so I hope it can
> be applied quickly to stable, and mainline if not too late.
How about changing the type of sample_idx to signed instead of casting
it? It's just a cosmetic thing, so even if you leave at this you get my
Acked-by: Felix Fietkau <nbd@...nwrt.org>

- Felix
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ