From: Len Baker <len.baker@gmx.com>
To: Yan-Hsuan Chuang <tony0620emma@gmail.com>,
Kalle Valo <kvalo@codeaurora.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>
Cc: Len Baker <len.baker@gmx.com>,
Stanislaw Gruszka <sgruszka@redhat.com>,
Brian Norris <briannorris@chromium.org>,
Pkshih <pkshih@realtek.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH v2] rtw88: Fix out-of-bounds write
Date: Fri, 16 Jul 2021 17:53:11 +0200 [thread overview]
Message-ID: <20210716155311.5570-1-len.baker@gmx.com> (raw)
In the rtw_pci_init_rx_ring function the "if (len > TRX_BD_IDX_MASK)"
statement guarantees that len is less than or equal to GENMASK(11, 0) or
in other words that len is less than or equal to 4095. However the
rx_ring->buf has a size of RTK_MAX_RX_DESC_NUM (defined as 512). This
way it is possible an out-of-bounds write in the for statement due to
the i variable can exceed the rx_ring->buff size.
However, this overflow never happens due to the rtw_pci_init_rx_ring is
only ever called with a fixed constant of RTK_MAX_RX_DESC_NUM. But it is
better to be defensive in this case and add a new check to avoid
overflows if this function is called in a future with a value greater
than 512.
Cc: stable@vger.kernel.org
Addresses-Coverity-ID: 1461515 ("Out-of-bounds write")
Fixes: e3037485c68ec ("rtw88: new Realtek 802.11ac driver")
Signed-off-by: Len Baker <len.baker@gmx.com>
---
Changelog v1 -> v2
- Remove the macro ARRAY_SIZE from the for loop (Pkshih, Brian Norris).
- Add a new check for the len variable (Pkshih, Brian Norris).
drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
index e7d17ab8f113..53dc90276693 100644
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -273,6 +273,11 @@ static int rtw_pci_init_rx_ring(struct rtw_dev *rtwdev,
return -EINVAL;
}
+ if (len > ARRAY_SIZE(rx_ring->buf)) {
+ rtw_err(rtwdev, "len %d exceeds maximum RX ring buffer\n", len);
+ return -EINVAL;
+ }
+
head = dma_alloc_coherent(&pdev->dev, ring_sz, &dma, GFP_KERNEL);
if (!head) {
rtw_err(rtwdev, "failed to allocate rx ring\n");
--
2.25.1
next reply other threads:[~2021-07-16 15:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-16 15:53 Len Baker [this message]
2021-07-16 16:58 ` [PATCH v2] rtw88: Fix out-of-bounds write Brian Norris
2021-07-16 17:20 ` Greg KH
2021-07-17 13:33 ` Len Baker
2021-07-17 17:33 ` Greg KH
2021-07-18 7:53 ` Len Baker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210716155311.5570-1-len.baker@gmx.com \
--to=len.baker@gmx.com \
--cc=briannorris@chromium.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pkshih@realtek.com \
--cc=sgruszka@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tony0620emma@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.