lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Nov 2017 23:03:02 +0000 From: Ben Hutchings <ben@...adent.org.uk> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org CC: akpm@...ux-foundation.org, "Seraphime Kirkovski" <kirkseraph@...il.com>, "Emmanuel Grumbach" <emmanuel.grumbach@...el.com>, "Luca Coelho" <luciano.coelho@...el.com> Subject: [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access 3.16.50-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Emmanuel Grumbach <emmanuel.grumbach@...el.com> commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream. iwlagn_check_ratid_empty takes the tid as a parameter, but it doesn't check that it is not IWL_TID_NON_QOS. Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS] is a bad idea. This happened in iwlagn_rx_reply_tx. Since iwlagn_check_ratid_empty is relevant only to check whether we can open A-MPDU, this flow is irrelevant if tid is IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside the if (tid != IWL_TID_NON_QOS) a few lines earlier in the function. Reported-by: Seraphime Kirkovski <kirkseraph@...il.com> Tested-by: Seraphime Kirkovski <kirkseraph@...il.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@...el.com> Signed-off-by: Luca Coelho <luciano.coelho@...el.com> [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings <ben@...adent.org.uk> --- drivers/net/wireless/iwlwifi/dvm/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/wireless/iwlwifi/dvm/tx.c +++ b/drivers/net/wireless/iwlwifi/dvm/tx.c @@ -1190,11 +1190,11 @@ int iwlagn_rx_reply_tx(struct iwl_priv * next_reclaimed; IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n", next_reclaimed); + iwlagn_check_ratid_empty(priv, sta_id, tid); } iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs); - iwlagn_check_ratid_empty(priv, sta_id, tid); freed = 0; /* process frames */
Powered by blists - more mailing lists