lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 09 Feb 2012 07:41:00 -0700
From:	Tim Gardner <rtg.canonical@...il.com>
To:	Larry Finger <Larry.Finger@...inger.net>
CC:	Ben Hutchings <bhutchings@...arflare.com>,
	Chaoming Li <chaoming_li@...lsil.com.cn>,
	"John W. Linville" <linville@...driver.com>,
	linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rtlwifi: rtl8192se firmware load can overflow target
 buffer

On 02/08/2012 07:30 PM, Larry Finger wrote:
> On 02/08/2012 03:45 PM, Ben Hutchings wrote:
>> On Wed, 2012-02-08 at 14:08 -0700, Tim Gardner wrote:
>>> The firmware file size check does not use the
>>> correct limit.
>>>
>>> Cc: Larry Finger<Larry.Finger@...inger.net>
>>> Cc: Chaoming Li<chaoming_li@...lsil.com.cn>
>>> Cc: John W. Linville<linville@...driver.com>
>>> Cc: linux-wireless@...r.kernel.org
>>> Cc: netdev@...r.kernel.org
>>> Cc: linux-kernel@...r.kernel.org
>>> Signed-off-by: Tim Gardner<tim.gardner@...onical.com>
>>> ---
>>> drivers/net/wireless/rtlwifi/rtl8192se/fw.h | 3 ++-
>>> drivers/net/wireless/rtlwifi/rtl8192se/sw.c | 2 +-
>>> 2 files changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
>>> b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
>>> index babe85d..5c377fc 100644
>>> --- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
>>> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
>>> @@ -30,6 +30,7 @@
>>> #define __REALTEK_FIRMWARE92S_H__
>>>
>>> #define RTL8190_MAX_FIRMWARE_CODE_SIZE 64000
>>> +#define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE 164000
>
> The current size of the firmware is 88,856, thus the value of
> RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE should be set to 90,000 to allow for
> some growth in the size of the firmware. Using 164,000 wastes a lot of
> space.
>
>>> #define RTL8190_CPU_START_OFFSET 0x80
>>> /* Firmware Local buffer size. 64k */
>>> #define MAX_FIRMWARE_CODE_SIZE 0xFF00
>>> @@ -217,7 +218,7 @@ struct rt_firmware {
>>> u8 fw_emem[RTL8190_MAX_FIRMWARE_CODE_SIZE];
>>> u32 fw_imem_len;
>>> u32 fw_emem_len;
>>> - u8 sz_fw_tmpbuffer[164000];
>>> + u8 sz_fw_tmpbuffer[RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE];
>>> u32 sz_fw_tmpbufferlen;
>>> u16 cmdpacket_fragthresold;
>>> };
>>> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
>>> b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
>>> index ca38dd9..155da0a 100644
>>> --- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
>>> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
>>> @@ -105,7 +105,7 @@ static void rtl92se_fw_cb(const struct firmware
>>> *firmware, void *context)
>>> rtlpriv->max_fw_size = 0;
>>> return;
>>> }
>>> - if (firmware->size> rtlpriv->max_fw_size) {
>>> + if (firmware->size>= RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE) {
>
> Do not change this one. rtlpriv->max_fw_size has been set to
> sizeof(struct rt_firmware), which is correct.
>
>>
>> This appears to reject a firmware blob which is exactly the maximum
>> size, which looks wrong. Also doesn't this make the max_fw_size field
>> redundant?
>
> I commented on this one earlier, but to reiterate - max_fw_size is not
> redundant.
>
> Larry

I agree with you about the semantics of rtlpriv->max_fw_size, but I 
don't agree that the size check is correct. While rtlpriv->max_fw_size 
has been set to sizeof(struct rt_firmware), that value is _way_ bigger 
then the size of the target buffer.

sizeof(struct rt_firmware) == 64000+64000+164000 plus some change

The target buffer size is only 164000 bytes.

I've attached v2 of the patch that is simpler and may serve to better 
illustrate my point. By the way, Ben Hutchings was right about the 
original patch having an off by one error. This version also clears 
rtlpriv->max_fw_size if the size check fails. Probably should have 
mentioned that in the commit log.

rtg
-- 
Tim Gardner tim.gardner@...onical.com

View attachment "0001-rtlwifi-rtl8192se-firmware-load-can-overflow-target-.patch" of type "text/x-patch" (2381 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ