lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd90ad42dfa94b07ac2035c6e20433ec@SC-EXCH02.marvell.com>
Date:   Fri, 30 Jun 2017 18:13:19 +0000
From:   Ganapathi Bhat <gbhat@...vell.com>
To:     Brian Norris <briannorris@...omium.org>
CC:     Nishant Sarmukadam <nishants@...vell.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Amitkumar Karwar <amitkarwar@...il.com>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        Avinash Patil <patila@...vell.com>,
        Xinming Hu <huxm@...vell.com>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>
Subject: RE: [EXT] Re: [PATCH] mwifiex: correct channel stat buffer overflows

Hi Brian,

> ----------------------------------------------------------------------
> On Thu, Jun 29, 2017 at 06:23:54PM -0700, Brian Norris wrote:
> > mwifiex records information about various channels as it receives
> scan
> > information. It does this by appending to a buffer that was sized to
> > the max number of supported channels on any band, but there are
> > numerous problems:
> >
> > (a) scans can return info from more than one band (e.g., both 2.4 and
> 5
> >     GHz), so the determined "max" is not large enough
> > (b) some firmware appears to return multiple results for a given
> >     channel, so the max *really* isn't large enough
> > (c) there is no bounds checking when stashing these stats, so
> problems
> >     (a) and (b) can easily lead to buffer overflows
> >
> > Let's patch this by setting a slightly-more-correct max (that
> accounts
> > for a combination of both 2.4G and 5G bands) and adding a bounds
> check
> > when writing to our statistics buffer.
> >
> > Due to problem (b), we still might not properly report all known
> > survey information (e.g., with "iw <dev> survey dump"), since
> > duplicate results (or otherwise "larger than expected" results) will
> > cause some truncation. But that's a problem for a future bugfix.
> >
> > (And because of this known deficiency, only log the excess at the
> WARN
> > level, since that isn't visible by default in this driver and would
> > otherwise be a bit too noisy.)
> >
> > Fixes: bf35443314ac ("mwifiex: channel statistics support for
> > mwifiex")
> > Cc: <stable@...r.kernel.org>
> > Cc: Avinash Patil <patila@...vell.com>
> > Cc: Xinming Hu <huxm@...vell.com>
> > Signed-off-by: Brian Norris <briannorris@...omium.org>
> > ---
> > I've got a ton of other patches still queued up locally, and I hope
> to
> > send them soon. But I realized this one is a nasty bug (with a
> trivial
> > fix), so it's probably best to get this out the door quickly.
> 
> This does make sense to me.
> 
> Reviewed-by: Dmitry Torokhov <dmitry.torokhov@...il.com>
> 
Changes look good.
Reviewed-by: Ganapathi Bhat <gbhat@...vell.com>
> >
> >  drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 +-
> >  drivers/net/wireless/marvell/mwifiex/scan.c     | 6 ++++++
> >  2 files changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
> > b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
> > index a850ec0054e2..82f4e796ed39 100644
> > --- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
> > +++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
> > @@ -4219,7 +4219,7 @@ int mwifiex_init_channel_scan_gap(struct
> mwifiex_adapter *adapter)
> >  	if (adapter->config_bands & BAND_A)
> >  		n_channels_a = mwifiex_band_5ghz.n_channels;
> >
> > -	adapter->num_in_chan_stats = max_t(u32, n_channels_bg,
> n_channels_a);
> > +	adapter->num_in_chan_stats = n_channels_bg + n_channels_a;
> >  	adapter->chan_stats = vmalloc(sizeof(*adapter->chan_stats) *
> >  				      adapter->num_in_chan_stats);
> >
> > diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c
> > b/drivers/net/wireless/marvell/mwifiex/scan.c
> > index ae9630b49342..9900855746ac 100644
> > --- a/drivers/net/wireless/marvell/mwifiex/scan.c
> > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c
> > @@ -2492,6 +2492,12 @@ mwifiex_update_chan_statistics(struct
> mwifiex_private *priv,
> >  					      sizeof(struct mwifiex_chan_stats);
> >
> >  	for (i = 0 ; i < num_chan; i++) {
> > +		if (adapter->survey_idx >= adapter->num_in_chan_stats) {
> > +			mwifiex_dbg(adapter, WARN,
> > +				    "FW reported too many channel results (max
> %d)\n",
> > +				    adapter->num_in_chan_stats);
> > +			return;
> > +		}
> >  		chan_stats.chan_num = fw_chan_stats->chan_num;
> >  		chan_stats.bandcfg = fw_chan_stats->bandcfg;
> >  		chan_stats.flags = fw_chan_stats->flags;
> > --
> > 2.13.2.725.g09c95d1e9-goog
> >
> 
> --
> Dmitry

Regards,
Ganapathi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ