lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 10 Dec 2022 20:47:39 +0800
From:   Li Zetao <lizetao1@...wei.com>
To:     Ping-Ke Shih <pkshih@...ltek.com>,
        "kvalo@...nel.org" <kvalo@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>
CC:     "Larry.Finger@...inger.net" <Larry.Finger@...inger.net>,
        "linville@...driver.com" <linville@...driver.com>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in
 _rtl8812ae_phy_set_txpower_limit()

Hi Ping-Ke,

On 2022/12/9 13:11, Ping-Ke Shih wrote:
>
>> -----Original Message-----
>> From: Li Zetao <lizetao1@...wei.com>
>> Sent: Wednesday, December 7, 2022 11:23 PM
>> To: Ping-Ke Shih <pkshih@...ltek.com>; kvalo@...nel.org; davem@...emloft.net; edumazet@...gle.com;
>> kuba@...nel.org; pabeni@...hat.com
>> Cc: lizetao1@...wei.com; Larry.Finger@...inger.net; linville@...driver.com;
>> linux-wireless@...r.kernel.org; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
>> Subject: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
>>
>> There is a global-out-of-bounds reported by KASAN:
>>
>>    BUG: KASAN: global-out-of-bounds in
>>    _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>>    Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411
>>
>>    CPU: 6 PID: 411 Comm: NetworkManager Tainted: G      D
>>    6.1.0-rc8+ #144 e15588508517267d37
>>    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
>>    Call Trace:
>>     <TASK>
>>     ...
>>     kasan_report+0xbb/0x1c0
>>     _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>>     rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]
>>     rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]
>>     ...
>>     </TASK>
>>
>> The root cause of the problem is that the comparison order of
>> "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The
>> _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two
>> strings, so this requires the length of the two strings be greater
>> than or equal to n. In the  _rtl8812ae_phy_set_txpower_limit(), it was
>> originally intended to meet this requirement by carefully designing
>> the comparison order. For example, "pregulation" and "pbandwidth" are
>> compared in order of length from small to large, first is 3 and last
>> is 4. However, the comparison order of "prate_section" dose not obey
>> such order requirement, therefore when "prate_section" is "HT", it will
>> lead to access out of bounds in _rtl8812ae_eq_n_byte().
>>
>> Fix it by adding a length check in _rtl8812ae_eq_n_byte(). Although it
>> can be fixed by adjusting the comparison order of "prate_section", this
>> may cause the value of "rate_section" to not be from 0 to 5. In
>> addition, commit "21e4b0726dc6" not only moved driver from staging to
>> regular tree, but also added setting txpower limit function during the
>> driver config phase, so the problem was introduced by this commit.
>>
>> Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree")
>> Signed-off-by: Li Zetao <lizetao1@...wei.com>
>> ---
>>   drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> index a29321e2fa72..720114a9ddb2 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> @@ -1600,7 +1600,7 @@ static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint)
>>
>>   static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num)
>>   {
> This can causes problem because it compares characters from tail to head, and
> we can't simply replace this by strncmp() that does similar work. But, I also
> don't like strlen() to loop 'str1' constantly.
>
> How about having a simple loop to compare characters forward:
>
> for (i = 0; i < num; i++)
>      if (str1[i] != str2[i])
>           return false;
>
> return true;

Thanks for your comment, but I don't think the problem has anything to 
do with head-to-tail or

tail-to-head comparison. The problem is that num is the length of str2, 
but the length of str1 may

be less than num, which may lead to reading str1 out of bounds, for 
example, when comparing

"prate_section", str1 may be "HT", while str2 may by "CCK", and num is 
3. So I think it is neccssary

to check the length of str1 to ensure that will not read out of bounds.


Looking forward to your comments.


With Best Regards,

Li Zetao

>> -	if (num == 0)
>> +	if (num == 0 || strlen(str1) < num)
>>   		return false;
>>   	while (num > 0) {
>>   		num--;
>> --
>> 2.31.1
>>
>>
>> ------Please consider the environment before printing this e-mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ