lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F5D9D3D.6090206@qca.qualcomm.com>
Date:	Mon, 12 Mar 2012 12:22:45 +0530
From:	Mohammed Shafi Shajakhan <mohammed@....qualcomm.com>
To:	Willy Tarreau <w@....eu>
CC:	Ben Hutchings <ben@...adent.org.uk>,
	<linux-kernel@...r.kernel.org>, <stable@...r.kernel.org>,
	Pavel Roskin <proski@....org>,
	"John W. Linville" <linville@...driver.com>
Subject: Re: [ 08/12] mac80211: zero initialize count field in ieee80211_tx_rate

Hi Willy,

> On Mon, Mar 12, 2012 at 10:06:23AM +0530, Mohammed Shafi Shajakhan wrote:
>>> So I'm pretty sure this patch is wrong for 2.6.32; it could be
>>> backported but I don't think the change is necessary anyway.
>>
>> true, but i think its better to initialize the count = 0 rather than
>> count = 1, though the older version driver checks for rate[i].idx>= 0
>> in ath_rc_tx_status. while the ath_tx_status has no such iteration in
>> the older driver code.
>
> In practice, if the patch brings nothing and not even correctness, I'd
> rather drop it than make us believe that some issue is fixed. However
> if you think it does happen to fix a real issue in 2.6.32 (possibly
> combined with some other missing patch), please tell me so and I will
> happily undelete it.
>

we can drop it. also as there was no driver code checking for 
rate[i].count in the 2.6.32 driver. i am also not sure this fixes 
something in 2.6.32 but the patch itself is correct.

Pavel fixed a rate control crash in ath9k because of invalid rate index 
(-1) access. we were wondering how is it possible the driver can be 
using a invalid rate index ?
we can simply rule out a rate is invalid checking for (rate[i].idx < 0 
&& rate[i].count != 0)

Pavel found that the driver previously checks "only" for rate[i].count 
as non-zero and this itself seems sufficient as we assumed the invalid 
rate indexes are initialized with  -1, 0 for rate[i].idx and 
rate[i].count respectively. later found that mac80211 rate[i].count 
initializes with '1' for the 'rate[i].count' field.

thus we generically fixed in mac80211(also as per doc) to avoid any such 
issues in any rate control, though we can blame the driver for not 
checking for invalid rate.idx while blindly believing on rate[i].count.

thank you!

-- 
thanks,
shafi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ