lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <36878f3488f047978038c844daedd02f@aptaiexm02f.ap.qualcomm.com>
Date:   Tue, 27 Aug 2019 03:33:52 +0000
From:   Wen Gong <wgong@....qualcomm.com>
To:     Nicolas Boichat <drinkcat@...omium.org>,
        "kvalo@...eaurora.org" <kvalo@...eaurora.org>
CC:     Alagu Sankar <alagusankar@...ex-india.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "briannorris@...omium.org" <briannorris@...omium.org>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "ath10k@...ts.infradead.org" <ath10k@...ts.infradead.org>,
        "wgong@...eaurora.org" <wgong@...eaurora.org>,
        "niklas.cassel@...aro.org" <niklas.cassel@...aro.org>,
        "tientzu@...omium.org" <tientzu@...omium.org>,
        "David S . Miller" <davem@...emloft.net>
Subject: RE: [PATCH,
 RFC] ath10k: Fix skb->len (properly) in ath10k_sdio_mbox_rx_packet

> -----Original Message-----
> From: ath10k <ath10k-bounces@...ts.infradead.org> On Behalf Of Nicolas
> Boichat
> Sent: Tuesday, August 27, 2019 8:33 AM
> To: kvalo@...eaurora.org
> Cc: Alagu Sankar <alagusankar@...ex-india.com>; netdev@...r.kernel.org;
> briannorris@...omium.org; linux-wireless@...r.kernel.org; linux-
> kernel@...r.kernel.org; ath10k@...ts.infradead.org;
> wgong@...eaurora.org; niklas.cassel@...aro.org; tientzu@...omium.org;
> David S . Miller <davem@...emloft.net>
> Subject: [EXT] [PATCH, RFC] ath10k: Fix skb->len (properly) in
> ath10k_sdio_mbox_rx_packet
> 
> (not a formal patch, take this as a bug report for now, I can clean
> up depending on the feedback I get here)
> 
> There's at least 3 issues here, and the patch fixes 2/3 only, I'm not sure
> how/if 1 should be handled.
>  1. ath10k_sdio_mbox_rx_alloc allocating skb of a incorrect size (too
>     small)
>  2. ath10k_sdio_mbox_rx_packet calling skb_put with that incorrect size.
>  3. ath10k_sdio_mbox_rx_process_packet attempts to fixup the size, but
>     does not use proper skb_put commands to do so, so we end up with
>     a mismatch between skb->head + skb->tail and skb->data + skb->len.
> 
> Let's start with 3, this is quite serious as this and causes corruptions
> in the TCP stack, as the stack tries to coalesce packets, and relies on
> skb->tail being correct (that is, skb_tail_pointer must point to the
> first byte _after_ the data): one must never manipulate skb->len
> directly.
> 
> Instead, we need to use skb_put to allocate more space (which updates
> skb->len and skb->tail). But it seems odd to do that in
> ath10k_sdio_mbox_rx_process_packet, so I move the code to
> ath10k_sdio_mbox_rx_packet (point 2 above).
> 
> However, there is still something strange (point 1 above), why is
> ath10k_sdio_mbox_rx_alloc allocating packets of the incorrect
> (too small?) size? What happens if the packet is bigger than alloc_len?
> Does this lead to corruption/lost data?
> 
> Fixes: 8530b4e7b22bc3b ("ath10k: sdio: set skb len for all rx packets")
> Signed-off-by: Nicolas Boichat <drinkcat@...omium.org>
> 
> ---
> 
> One simple way to test this is this scriplet, that sends a lot of
> small packets over SSH:
> (for i in `seq 1 300`; do echo $i; sleep 0.1; done) | ssh $IP cat
> 
> In my testing it rarely ever reach 300 without failure.
> 
>  drivers/net/wireless/ath/ath10k/sdio.c | 18 ++++++++++++------
>  1 file changed, 12 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath10k/sdio.c
> b/drivers/net/wireless/ath/ath10k/sdio.c
> index 8ed4fbd8d6c3888..a9f5002863ee7bb 100644
> --- a/drivers/net/wireless/ath/ath10k/sdio.c
> +++ b/drivers/net/wireless/ath/ath10k/sdio.c
> @@ -381,16 +381,14 @@ static int
> ath10k_sdio_mbox_rx_process_packet(struct ath10k *ar,
>  	struct ath10k_htc_hdr *htc_hdr = (struct ath10k_htc_hdr *)skb->data;
>  	bool trailer_present = htc_hdr->flags &
> ATH10K_HTC_FLAG_TRAILER_PRESENT;
>  	enum ath10k_htc_ep_id eid;
> -	u16 payload_len;
>  	u8 *trailer;
>  	int ret;
> 
> -	payload_len = le16_to_cpu(htc_hdr->len);
> -	skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
> +	/* TODO: Remove this? */
If the pkt->act_len has set again in ath10k_sdio_mbox_rx_packet, seems not needed.
> +	WARN_ON(skb->len != le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr));
> 
>  	if (trailer_present) {
> -		trailer = skb->data + sizeof(*htc_hdr) +
> -			  payload_len - htc_hdr->trailer_len;
> +		trailer = skb->data + skb->len - htc_hdr->trailer_len;
> 
>  		eid = pipe_id_to_eid(htc_hdr->eid);
> 
> @@ -637,8 +635,16 @@ static int ath10k_sdio_mbox_rx_packet(struct
> ath10k *ar,
>  	ret = ath10k_sdio_readsb(ar, ar_sdio->mbox_info.htc_addr,
>  				 skb->data, pkt->alloc_len);
>  	pkt->status = ret;
> -	if (!ret)
> +	if (!ret) {
> +		/* Update actual length. */
> +		/* FIXME: This looks quite wrong, why is pkt->act_len not
> +		 * correct in the first place?
> +		 */
Firmware will do bundle for rx packet, and the aligned length by block size(256) of each packet's len is same 
in a bundle.

Eg. 
packet 1 len: 300, aligned length:512
packet 2 len: 400, aligned length:512
packet 3 len: 200, aligned length:256
packet 4 len: 100, aligned length:256
packet 5 len: 700, aligned length:768
packet 6 len: 600, aligned length:768

then packet 1,2 will in bundle 1, packet 3,4 in a bundle 2, packet 5,6 in a bundle 3.

For bundle 1, packet 1,2 will both allocate with len 512, and act_len is 300 first,
then packet 2's len will be overwrite to 400.

For bundle 2, packet 3,4 will both allocate with len 256, and act_len is 200 first,
then packet 4's len will be overwrite to 100.

For bundle 3, packet 5,6 will both allocate with len 768, and act_len is 700 first,
then packet 6's len will be overwrite to 600.

> +		struct ath10k_htc_hdr *htc_hdr =
> +			(struct ath10k_htc_hdr *)skb->data;
> +		pkt->act_len = le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr);
>  		skb_put(skb, pkt->act_len);
> +	}
> 
>  	return ret;
>  }
> --
> 2.23.0.187.g17f5b7556c-goog
> 
> 
> _______________________________________________
> ath10k mailing list
> ath10k@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/ath10k

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ