lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Dec 2023 15:26:59 -0800
From: Jeff Johnson <quic_jjohnson@...cinc.com>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        Johannes Berg
	<johannes@...solutions.net>,
        Kalle Valo <kvalo@...nel.org>
CC: <ath10k@...ts.infradead.org>, <linux-wireless@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>,
        "Gustavo A. R. Silva"
	<gustavoars@...nel.org>,
        <linux-hardening@...r.kernel.org>
Subject: Re: [RFC - is this a bug?] wifi: ath10k: Asking for some light on
 this, please :)

On 10/25/2023 8:52 AM, Jeff Johnson wrote:
> On 10/24/2023 7:37 PM, Gustavo A. R. Silva wrote:
>>
>>
>> On 10/24/23 14:49, Johannes Berg wrote:
>>> On Tue, 2023-10-24 at 14:41 -0600, Gustavo A. R. Silva wrote:
>>>>
>>>> It seems we run into the same issue in the function below, even in the
>>>> case this `memset()` is unnecessary (which it seems it's not):
>>>>
>>>>     8920         memset(skb->data, 0, sizeof(*cmd));
>>>>
>>>> Notice that if `cap->peer_chan_len == 0` or `cap->peer_chan_len == 1`,
>>>> in the original code, we have `len == sizeof(*cmd) == 128`:
>>>
>>> Right.
>>>
>>>> -       /* tdls peer update cmd has place holder for one channel*/
>>>> -       chan_len = cap->peer_chan_len ? (cap->peer_chan_len - 1) : 0;
>>>> -
>>>> -       len = sizeof(*cmd) + chan_len * sizeof(*chan);
>>>> +       len = struct_size(cmd, peer_capab.peer_chan_list, 
>>>> cap->peer_chan_len);
>>>>
>>>>           skb = ath10k_wmi_alloc_skb(ar, len);
>>>>           if (!skb)
>>>>
>>>> which makes `round_len == roundup(len, 4) == struct_size(cmd,...,...) 
>>>> == 104`
>>>> when `cap->peer_chan_len == 0`
>>>
>>> And yeah, that's really the issue, it only matters for ==0. For a moment
>>> there I thought that doesn't even make sense, but it looks like it never
>>> even becomes non-zero.
>>>
>>> No idea then, sorry. You'd hope firmware doesn't care about the actual
>>> message size if the inner data says "0 entries", but who knows? And how
>>> many firmware versions are there? :)
>>>
>>> So I guess you'd want to stay compatible, even if it means having a
>>>
>>>     chan_len = min(cap->peer_chan_len, 1);
>>>
>>> for the struct_size()?
>>
>> Yeah, that's an alternative.
>>
>> I'll wait for the maintainers to chime in and see if they have a different
>> opinion.
> 
> I'm seeing clarification from the development team.
> 
> /jeff
> 

I was not able to get a response from the firmware team.

I have gone ahead and created a series of patches to fix the remaining
flexible array issues in ath10k including the one discussed here. I
should be able to post those sometime this week.

/jeff

Powered by blists - more mailing lists