| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Jun 2017 06:31:01 +0000
From: "Grumbach, Emmanuel" <emmanuel.grumbach@...el.com>
To: Seraphime Kirkovski <kirkseraph@...il.com>,
"luca@...lho.fi" <luca@...lho.fi>
CC: "Berg, Johannes" <johannes.berg@...el.com>,
"Coelho, Luciano" <luciano.coelho@...el.com>,
linuxwifi <linuxwifi@...el.com>,
Kalle Valo <kvalo@...eaurora.org>,
"open list:INTEL WIRELESS WIFI LINK (iwlwifi)"
<linux-wireless@...r.kernel.org>,
"open list:NETWORKING DRIVERS" <netdev@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: RE: [linuxwifi] [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid
mask
Hi,
> Subject: [linuxwifi] [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask
>
> Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid,
> which gives 16 possible values for tid.
> This is problematic because IWL_MAX_TID_COUNT is 8, so indexing
> iwl_priv::tid_data can go very wrong.
True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
that we don't index tid_data with this. Hence I think the proper fix is:
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
index 06ac3f1..16a8646 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
@@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
next_reclaimed;
IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
next_reclaimed);
+ iwlagn_check_ratid_empty(priv, sta_id, tid);
}
iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
- iwlagn_check_ratid_empty(priv, sta_id, tid);
freed = 0;
/* process frames */
Clearly calling iwlagn_check_ratid_empty with tid = IWL_TID_NON_QOS is a bad idea.
>
> With UBSAN I can it happening while establishing the first connection
> after module load.
>
> [ 272.143440] UBSAN: Undefined behaviour in
> drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32
> [ 272.143447] index 8 is out of range for type 'iwl_tid_data [8]'
> [ 272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty
> #2
> [ 272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B,
> BIOS 68SSU Ver. F.02 07/26/2011
> [ 272.143462] Call Trace:
> [ 272.143472] dump_stack+0x9c/0x10b
> [ 272.143477] ? _atomic_dec_and_lock+0x285/0x285
> [ 272.143486] ubsan_epilogue+0xd/0x4e
> [ 272.143493] __ubsan_handle_out_of_bounds+0xef/0x118
> [ 272.143498] ? __ubsan_handle_shift_out_of_bounds+0x221/0x221
> [ 272.143519] ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi]
> [ 272.143539] iwlagn_check_ratid_empty+0x337/0x410 [iwldvm]
> [ 272.143556] ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi]
> [ 272.143571] iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm]
>
> Signed-off-by: Seraphime Kirkovski <kirkseraph@...il.com>
> ---
> I'm currently running this patch on my machines and I have wifi.
> The patch presumes а cleanup patch, I sent yesterday:
> https://www.spinics.net/lists/kernel/msg2526314.html
>
> drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> index 37d2ba5ae852..e5994df9ea4c 100644
> --- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> +++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> @@ -1448,7 +1448,7 @@ struct agg_tx_status {
> */
> /* refer to ra_tid */
> #define IWLAGN_TX_RES_TID_POS 0
> -#define IWLAGN_TX_RES_TID_MSK 0x0f
> +#define IWLAGN_TX_RES_TID_MSK 0x07
> #define IWLAGN_TX_RES_RA_POS 4
> #define IWLAGN_TX_RES_RA_MSK 0xf0
>
> --
> 2.11.0
>
> -------------------------------------
> linuxwifi@...ists.intel.com
> https://eclists.intel.com/sympa/info/linuxwifi
> Unsubscribe by sending email to sympa@...ists.intel.com with subject
> "Unsubscribe linuxwifi"
Powered by blists - more mailing lists