lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20220327141136.17059-1-xiam0nd.tong@gmail.com>
Date:   Sun, 27 Mar 2022 22:11:36 +0800
From:   Xiaomeng Tong <xiam0nd.tong@...il.com>
To:     chunkeey@...il.com
Cc:     chunkeey@...glemail.com, davem@...emloft.net, kuba@...nel.org,
        kvalo@...nel.org, linux-kernel@...r.kernel.org,
        linux-wireless@...r.kernel.org, linville@...driver.com,
        netdev@...r.kernel.org, pabeni@...hat.com, stable@...r.kernel.org,
        xiam0nd.tong@...il.com
Subject: Re: [PATCH] carl9170: main: fix an incorrect use of list iterator

On Sun, 27 Mar 2022 14:05:29, Christian Lamparter <chunkeey@...il.com> wrote:
> Hi,
> 
> On 27/03/2022 09:27, Xiaomeng Tong wrote:
> > The bug is here:
> > 	rcu_assign_pointer(ar->tx_ampdu_iter,
> > 		(struct carl9170_sta_tid *) &ar->tx_ampdu_list);
> 
> yeah, so... I know there's currently a big discussion revolving
> around LISTs due to incoming the GNU89 to GNU11 switch. I'm not
> currently aware that something related to this had updated
> INIT_LIST_HEAD + friends. So, please tell me if there is extra
> information that has to be considered.
> 
> > The 'ar->tx_ampdu_iter' is used as a list iterator variable
> > which point to a structure object containing the list HEAD
> > (&ar->tx_ampdu_list), not as the HEAD itself.
> > 
> > The only use case of 'ar->tx_ampdu_iter' is as a base pos
> > for list_for_each_entry_continue_rcu in carl9170_tx_ampdu().
> > If the iterator variable holds the *wrong* HEAD value here
> > (has not been modified elsewhere before), this will lead to
> > an invalid memory access.
> > 
> > Using list_entry_rcu to get the right list iterator variable
> > and reassign it, to fix this bug.
> > Note: use 'ar->tx_ampdu_list.next' instead of '&ar->tx_ampdu_list'
> > to avoid compiler error.
> > 
> > Cc: stable@...r.kernel.org
> > Fixes: fe8ee9ad80b28 ("carl9170: mac80211 glue and command interface")
> > Signed-off-by: Xiaomeng Tong <xiam0nd.tong@...il.com>
> > ---
> >   drivers/net/wireless/ath/carl9170/main.c | 6 ++++--
> >   1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
> > index 49f7ee1c912b..a287937bf666 100644
> > --- a/drivers/net/wireless/ath/carl9170/main.c
> > +++ b/drivers/net/wireless/ath/carl9170/main.c
> > @@ -1756,6 +1756,7 @@ static const struct ieee80211_ops carl9170_ops = {
> >   
> >   void *carl9170_alloc(size_t priv_size)
> >   {
> > +	struct carl9170_sta_tid *tid_info;
> >   	struct ieee80211_hw *hw;
> >   	struct ar9170 *ar;
> >   	struct sk_buff *skb;
> > @@ -1815,8 +1816,9 @@ void *carl9170_alloc(size_t priv_size)
> >   	INIT_DELAYED_WORK(&ar->stat_work, carl9170_stat_work);
> >   	INIT_DELAYED_WORK(&ar->tx_janitor, carl9170_tx_janitor);
> >   	INIT_LIST_HEAD(&ar->tx_ampdu_list);
> > -	rcu_assign_pointer(ar->tx_ampdu_iter,
> > -			   (struct carl9170_sta_tid *) &ar->tx_ampdu_list);
> > +	tid_info = list_entry_rcu(ar->tx_ampdu_list.next,
> > +				struct carl9170_sta_tid, list);
> > +	rcu_assign_pointer(ar->tx_ampdu_iter, tid_info);
> 
> 
> I've tested this. I've added the following pr_info that would
> print the (raw) pointer of both your new method (your patch)
> and the old (current code) one:
> 
>   pr_info("new:%px\n", list_entry_rcu(ar->tx_ampdu_list.next,struct carl9170_sta_tid, list)); // tid_info
>   pr_info("old:%px\n", (struct carl9170_sta_tid *) &ar->tx_ampdu_list);
> 
> and run it on AR9170 USB Stick
> 
> [  216.547932] usb 2-10: SerialNumber: 12345
> [  216.673629] usb 2-10: reset high-speed USB device number 10 using xhci_hcd
> [  216.853488] new:ffff9394268a38e0
> [  216.853496] old:ffff9394268a38e0
> [  216.858174] usb 2-10: driver   API: 1.9.9 2016-02-15 [1-1]
> [  216.858186] usb 2-10: firmware API: 1.9.9 2021-02-05
> 
> phew, what a relieve :). Both the new and old pointers are the same.
> 

I double check it, and this should not be a bug, at least for now.
the 'list' happens to be the first member of struct carl9170_sta_tid,
so both the new and old pointers are the same. However, we should not
depend on the member order of structure or compiler to guarantee the
correctness, in case some day the order is changed by accident. Instead,
we should guarantee it using the correct logic explicitly.

--
Xiaomeng Tong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ