lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 19 Oct 2021 10:06:45 -0700
From:   Brian Norris <briannorris@...omium.org>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     Wan Jiabing <wanjiabing@...o.com>,
        Amitkumar Karwar <amitkarwar@...il.com>,
        Ganapathi Bhat <ganapathi017@...il.com>,
        Sharvari Harisangam <sharvari.harisangam@....com>,
        Xinming Hu <huxinming820@...il.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        linux-wireless <linux-wireless@...r.kernel.org>,
        "<netdev@...r.kernel.org>" <netdev@...r.kernel.org>,
        Linux Kernel <linux-kernel@...r.kernel.org>, kael_w@...h.net,
        syzbot+4e7b6c94d22f4bfca9a0@...kaller.appspotmail.com
Subject: Re: [PATCH] mwifiex: Fix divide error in mwifiex_usb_dnld_fw

On Mon, Oct 18, 2021 at 9:04 PM Eric Dumazet <eric.dumazet@...il.com> wrote:
> On 10/18/21 8:31 PM, Wan Jiabing wrote:
> > --- a/drivers/net/wireless/marvell/mwifiex/usb.c
> > +++ b/drivers/net/wireless/marvell/mwifiex/usb.c
> > @@ -693,7 +693,7 @@ static int mwifiex_write_data_sync(struct mwifiex_adapter *adapter, u8 *pbuf,
> >       struct usb_card_rec *card = adapter->card;
> >       int actual_length, ret;
> >
> > -     if (!(*len % card->bulk_out_maxpktsize))
> > +     if (card->bulk_out_maxpktsize && !(*len % card->bulk_out_maxpktsize))
>
>
> Are you sure this fix is not working around the real bug ?
>
> In which cases bulk_out_maxpktsize would be zero ?
>
> If this is a valid case, this needs to be explained in the changelog.

I'm with Eric here. This was a bug reported by a fuzzer, which throws
invalid input at the driver. The right answer is likely that we should
reject such invalid input when we receive it -- i.e., we should fail
to probe() the device if it has invalid capabilities. In particular,
we should fail to probe if wMaxPacketSize==0.

I was thinking of sending such a patch myself, but I don't have any
USB mwifiex hardware to test, so I deferred. It's probably pretty low
risk anyway, though.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ