lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Oct 2023 14:41:07 -0600
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Johannes Berg <johannes@...solutions.net>, Kalle Valo <kvalo@...nel.org>,
 Jeff Johnson <quic_jjohnson@...cinc.com>
Cc: ath10k@...ts.infradead.org, linux-wireless@...r.kernel.org,
 linux-kernel@...r.kernel.org, "Gustavo A. R. Silva" <gustavoars@...nel.org>,
 linux-hardening@...r.kernel.org
Subject: Re: [RFC - is this a bug?] wifi: ath10k: Asking for some light on
 this, please :)



On 10/24/23 14:11, Johannes Berg wrote:
> On Tue, 2023-10-24 at 13:50 -0600, Gustavo A. R. Silva wrote:
>> Hi all,
>>
>> While working on tranforming one-element array `peer_chan_list` in
>> `struct wmi_tdls_peer_capabilities` into a flex-array member
>>
>> 7187 struct wmi_tdls_peer_capabilities {
>> ...
>> 7199         struct wmi_channel peer_chan_list[1];
>> 7200 } __packed;
>>
>> the following line caught my attention:
>>
>> ./drivers/net/wireless/ath/ath10k/wmi.c:
>> 8920         memset(skb->data, 0, sizeof(*cmd));
>>
>> Notice that before the flex-array transformation, we are zeroing 128
>> bytes in `skb->data` because `sizeof(*cmd) == 128`, see below:
> 
> 
>> So, my question is: do we really need to zero out those extra 24 bytes in
>> `skb->data`? or is it rather a bug in the original code?
>>
> 
> If we look a step further, I _think_ even that memset is unnecessary?

It seems we run into the same issue in the function below, even in the
case this `memset()` is unnecessary (which it seems it's not):

	8920         memset(skb->data, 0, sizeof(*cmd));

Notice that if `cap->peer_chan_len == 0` or `cap->peer_chan_len == 1`,
in the original code, we have `len == sizeof(*cmd) == 128`:

drivers/net/wireless/ath/ath10k/wmi.c:
8911         /* tdls peer update cmd has place holder for one channel*/
8912         chan_len = cap->peer_chan_len ? (cap->peer_chan_len - 1) : 0;
8913
8914         len = sizeof(*cmd) + chan_len * sizeof(*chan);
8915
8916         skb = ath10k_wmi_alloc_skb(ar, len);

> 
> 
> struct sk_buff *ath10k_wmi_alloc_skb(struct ath10k *ar, u32 len)
> {
>          struct sk_buff *skb;
>          u32 round_len = roundup(len, 4);
> 
>          skb = ath10k_htc_alloc_skb(ar, WMI_SKB_HEADROOM + round_len);
>          if (!skb)
>                  return NULL;
> 
>          skb_reserve(skb, WMI_SKB_HEADROOM);
>          if (!IS_ALIGNED((unsigned long)skb->data, 4))
>                  ath10k_warn(ar, "Unaligned WMI skb\n");
> 
>          skb_put(skb, round_len);

so `round_len == roundup(len, 4) == 128` at the moment of this
`memset()` call:

>          memset(skb->data, 0, round_len);

which take us back to the same problem, this time in the `memset()` above,
because after the flex-array transformation we would have:

--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -8905,13 +8905,10 @@ ath10k_wmi_10_4_gen_tdls_peer_update(struct ath10k *ar,
         struct wmi_channel *chan;
         struct sk_buff *skb;
         u32 peer_qos;
-       int len, chan_len;
+       size_t len;
         int i;

-       /* tdls peer update cmd has place holder for one channel*/
-       chan_len = cap->peer_chan_len ? (cap->peer_chan_len - 1) : 0;
-
-       len = sizeof(*cmd) + chan_len * sizeof(*chan);
+       len = struct_size(cmd, peer_capab.peer_chan_list, cap->peer_chan_len);

         skb = ath10k_wmi_alloc_skb(ar, len);
         if (!skb)

which makes `round_len == roundup(len, 4) == struct_size(cmd,...,...) == 104`
when `cap->peer_chan_len == 0`

> So shouldn't the outgoing skb be exactly the same?

It seems it's not.

> 
> Anyway, just looking at the code out of curiosity, I don't actually know
> anything about this driver :)
> 
> johannes

--
Gustavo

Powered by blists - more mailing lists