lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e985ead3ea7841b8b3a94201dfb18776@realtek.com>
Date:   Fri, 9 Dec 2022 05:11:48 +0000
From:   Ping-Ke Shih <pkshih@...ltek.com>
To:     Li Zetao <lizetao1@...wei.com>,
        "kvalo@...nel.org" <kvalo@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>
CC:     "Larry.Finger@...inger.net" <Larry.Finger@...inger.net>,
        "linville@...driver.com" <linville@...driver.com>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()



> -----Original Message-----
> From: Li Zetao <lizetao1@...wei.com>
> Sent: Wednesday, December 7, 2022 11:23 PM
> To: Ping-Ke Shih <pkshih@...ltek.com>; kvalo@...nel.org; davem@...emloft.net; edumazet@...gle.com;
> kuba@...nel.org; pabeni@...hat.com
> Cc: lizetao1@...wei.com; Larry.Finger@...inger.net; linville@...driver.com;
> linux-wireless@...r.kernel.org; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
> 
> There is a global-out-of-bounds reported by KASAN:
> 
>   BUG: KASAN: global-out-of-bounds in
>   _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>   Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411
> 
>   CPU: 6 PID: 411 Comm: NetworkManager Tainted: G      D
>   6.1.0-rc8+ #144 e15588508517267d37
>   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
>   Call Trace:
>    <TASK>
>    ...
>    kasan_report+0xbb/0x1c0
>    _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>    rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]
>    rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]
>    ...
>    </TASK>
> 
> The root cause of the problem is that the comparison order of
> "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The
> _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two
> strings, so this requires the length of the two strings be greater
> than or equal to n. In the  _rtl8812ae_phy_set_txpower_limit(), it was
> originally intended to meet this requirement by carefully designing
> the comparison order. For example, "pregulation" and "pbandwidth" are
> compared in order of length from small to large, first is 3 and last
> is 4. However, the comparison order of "prate_section" dose not obey
> such order requirement, therefore when "prate_section" is "HT", it will
> lead to access out of bounds in _rtl8812ae_eq_n_byte().
> 
> Fix it by adding a length check in _rtl8812ae_eq_n_byte(). Although it
> can be fixed by adjusting the comparison order of "prate_section", this
> may cause the value of "rate_section" to not be from 0 to 5. In
> addition, commit "21e4b0726dc6" not only moved driver from staging to
> regular tree, but also added setting txpower limit function during the
> driver config phase, so the problem was introduced by this commit.
> 
> Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree")
> Signed-off-by: Li Zetao <lizetao1@...wei.com>
> ---
>  drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
> b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
> index a29321e2fa72..720114a9ddb2 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
> @@ -1600,7 +1600,7 @@ static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint)
> 
>  static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num)
>  {

This can causes problem because it compares characters from tail to head, and
we can't simply replace this by strncmp() that does similar work. But, I also
don't like strlen() to loop 'str1' constantly.

How about having a simple loop to compare characters forward:

for (i = 0; i < num; i++)
    if (str1[i] != str2[i])
         return false;

return true;

> -	if (num == 0)
> +	if (num == 0 || strlen(str1) < num)
>  		return false;
>  	while (num > 0) {
>  		num--;
> --
> 2.31.1
> 
> 
> ------Please consider the environment before printing this e-mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ