lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 14 Sep 2023 15:09:47 +0800
From:   Pin-yen Lin <treapking@...omium.org>
To:     Brian Norris <briannorris@...omium.org>
Cc:     linux-wireless@...r.kernel.org, Kalle Valo <kvalo@...nel.org>,
        Polaris Pi <pinkperfect2021@...il.com>,
        Matthew Wang <matthewmwang@...omium.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet

Hi Brian,

Thanks for the review.

On Thu, Sep 14, 2023 at 4:31 AM Brian Norris <briannorris@...omium.org> wrote:
>
> On Fri, Sep 08, 2023 at 06:41:12PM +0800, Pin-yen Lin wrote:
> > Only skip the code path trying to access the rfc1042 headers when the
> > buffer is too small, so the driver can still process packets without
> > rfc1042 headers.
> >
> > Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets")
> > Signed-off-by: Pin-yen Lin <treapking@...omium.org>
>
> I'd appreciate another review/test from one of the others here
> (Matthew?), even though I know y'all are already working together.
>
> > ---
> >
> > Changes in v3:
> > - Really apply the sizeof call fix as it was missed in the previous patch
> >
> > Changes in v2:
> > - Fix sizeof call (sizeof(rx_pkt_hdr) --> sizeof(*rx_pkt_hdr))
> >
> >  drivers/net/wireless/marvell/mwifiex/sta_rx.c | 16 +++++++++-------
> >  1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> > index 65420ad67416..257737137cd7 100644
> > --- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> > +++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> > @@ -86,7 +86,8 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv,
> >       rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length);
> >       rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off;
> >
> > -     if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) {
> > +     if (sizeof(rx_pkt_hdr->eth803_hdr) + sizeof(rfc1042_header) +
> > +         rx_pkt_off > skb->len) {
> >               mwifiex_dbg(priv->adapter, ERROR,
> >                           "wrong rx packet offset: len=%d, rx_pkt_off=%d\n",
> >                           skb->len, rx_pkt_off);
> > @@ -95,12 +96,13 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv,
> >               return -1;
> >       }
> >
> > -     if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
> > -                  sizeof(bridge_tunnel_header))) ||
> > -         (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
> > -                  sizeof(rfc1042_header)) &&
> > -          ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
> > -          ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX)) {
> > +     if (sizeof(*rx_pkt_hdr) + rx_pkt_off <= skb->len &&
>
> Are you sure you want this length check to fall back to the non-802.3
> codepath? Isn't it an error to look like an 802.3 frame but to be too
> small? I'd think we want to drop such packets, not process them as-is.

I did that because I saw other drivers (e.g., [1], [2]) use similar
approaches, and I assumed that the rest of the pipeline will
eventually drop it if the packet cannot be recognized. But, yes, we
can just drop the packet here if it doesn't look good.

[1]: https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/intersil/hostap/hostap_80211_rx.c#L1035
[2]: https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/intel/ipw2x00/libipw_rx.c#L735
>
> If I'm correct, then this check should move inside the 'if' branch of
> this if/else.

We can't simply move the check inside the if branch because the
condition also checks rx_pkt_hdr->rfc1042_hdr.snap_type. Though, of
course, it is doable by adding another `if` conditions.
>
> Brian
>

Regards,
Pin-yen

> > +         ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
> > +                   sizeof(bridge_tunnel_header))) ||
> > +          (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
> > +                   sizeof(rfc1042_header)) &&
> > +           ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
> > +           ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX))) {
> >               /*
> >                *  Replace the 803 header and rfc1042 header (llc/snap) with an
> >                *    EthernetII header, keep the src/dst and snap_type
> > --
> > 2.42.0.283.g2d96d420d3-goog
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ