All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Sven Eckelmann <sven@narfation.org>,
	Kalle Valo <quic_kvalo@quicinc.com>
Subject: [PATCH 5.15 23/41] ath11k: Fix buffer overflow when scanning with extraie
Date: Fri, 14 Jan 2022 09:16:23 +0100	[thread overview]
Message-ID: <20220114081545.932563648@linuxfoundation.org> (raw)
In-Reply-To: <20220114081545.158363487@linuxfoundation.org>

From: Sven Eckelmann <sven@narfation.org>

commit a658c929ded7ea3aee324c8c2a9635a5e5a38e7f upstream.

If cfg80211 is providing extraie's for a scanning process then ath11k will
copy that over to the firmware. The extraie.len is a 32 bit value in struct
element_info and describes the amount of bytes for the vendor information
elements.

The WMI_TLV packet is having a special WMI_TAG_ARRAY_BYTE section. This
section can have a (payload) length up to 65535 bytes because the
WMI_TLV_LEN can store up to 16 bits. The code was missing such a check and
could have created a scan request which cannot be parsed correctly by the
firmware.

But the bigger problem was the allocation of the buffer. It has to align
the TLV sections by 4 bytes. But the code was using an u8 to store the
newly calculated length of this section (with alignment). And the new
calculated length was then used to allocate the skbuff. But the actual code
to copy in the data is using the extraie.len and not the calculated
"aligned" length.

The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled
was 264 bytes during tests with a QCA Milan card. But it only allocated 8
bytes (264 bytes % 256) for it. As consequence, the code to memcpy the
extraie into the skb was then just overwriting data after skb->end. Things
like shinfo were therefore corrupted. This could usually be seen by a crash
in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus
address).

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1

Cc: stable@vger.kernel.org
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20211207142913.1734635-1-sven@narfation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/ath/ath11k/wmi.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -2051,7 +2051,7 @@ int ath11k_wmi_send_scan_start_cmd(struc
 	void *ptr;
 	int i, ret, len;
 	u32 *tmp_ptr;
-	u8 extraie_len_with_pad = 0;
+	u16 extraie_len_with_pad = 0;
 	struct hint_short_ssid *s_ssid = NULL;
 	struct hint_bssid *hint_bssid = NULL;
 
@@ -2070,7 +2070,7 @@ int ath11k_wmi_send_scan_start_cmd(struc
 		len += sizeof(*bssid) * params->num_bssid;
 
 	len += TLV_HDR_SIZE;
-	if (params->extraie.len)
+	if (params->extraie.len && params->extraie.len <= 0xFFFF)
 		extraie_len_with_pad =
 			roundup(params->extraie.len, sizeof(u32));
 	len += extraie_len_with_pad;
@@ -2177,7 +2177,7 @@ int ath11k_wmi_send_scan_start_cmd(struc
 		      FIELD_PREP(WMI_TLV_LEN, len);
 	ptr += TLV_HDR_SIZE;
 
-	if (params->extraie.len)
+	if (extraie_len_with_pad)
 		memcpy(ptr, params->extraie.ptr,
 		       params->extraie.len);
 



  parent reply	other threads:[~2022-01-14  8:21 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-14  8:16 [PATCH 5.15 00/41] 5.15.15-rc1 review Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 01/41] s390/kexec: handle R_390_PLT32DBL rela in arch_kexec_apply_relocations_add() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 02/41] workqueue: Fix unbind_workers() VS wq_worker_running() race Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 03/41] staging: r8188eu: switch the led off during deinit Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 04/41] bpf: Fix out of bounds access from invalid *_or_null type verification Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 05/41] Bluetooth: btusb: Add protocol for MediaTek bluetooth devices(MT7922) Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 06/41] Bluetooth: btusb: Add the new support ID for Realtek RTL8852A Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 07/41] Bluetooth: btusb: Add support for IMC Networks Mediatek Chip(MT7921) Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 08/41] Bbluetooth: btusb: Add another Bluetooth part for Realtek 8852AE Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 09/41] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 10/41] Bluetooth: btusb: enable Mediatek to support AOSP extension Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 11/41] Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 12/41] Bluetooth: btusb: Add the new support IDs for WCN6855 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 13/41] fget: clarify and improve __fget_files() implementation Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 14/41] Bluetooth: btusb: Add one more Bluetooth part for WCN6855 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 15/41] Bluetooth: btusb: Add two more Bluetooth parts " Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 16/41] Bluetooth: btusb: Add support for Foxconn MT7922A Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 17/41] Bluetooth: btintel: Fix broken LED quirk for legacy ROM devices Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 18/41] Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 19/41] Bluetooth: bfusb: fix division by zero in send path Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 20/41] ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 21/41] USB: core: Fix bug in resuming hubs handling of wakeup requests Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 22/41] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Greg Kroah-Hartman
2022-01-14  8:16 ` Greg Kroah-Hartman [this message]
2022-01-14  8:16 ` [PATCH 5.15 24/41] mmc: sdhci-pci: Add PCI ID for Intel ADL Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 25/41] Bluetooth: add quirk disabling LE Read Transmit Power Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 26/41] Bluetooth: btbcm: disable read tx power for some Macs with the T2 Security chip Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 27/41] Bluetooth: btbcm: disable read tx power for MacBook Air 8,1 and 8,2 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 28/41] veth: Do not record rx queue hint in veth_xmit Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 29/41] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 30/41] x86/mce: Remove noinstr annotation from mce_setup() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 31/41] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 32/41] can: isotp: convert struct tpcon::{idx,len} to unsigned int Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 33/41] can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 34/41] random: fix data race on crng_node_pool Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 35/41] random: fix data race on crng init time Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 36/41] random: fix crash on multiple early calls to add_bootloader_randomness() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 37/41] platform/x86/intel: hid: add quirk to support Surface Go 3 Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 38/41] media: Revert "media: uvcvideo: Set unique vdev name based in type" Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 39/41] staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 40/41] drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() Greg Kroah-Hartman
2022-01-14  8:16 ` [PATCH 5.15 41/41] staging: greybus: fix stack size warning with UBSAN Greg Kroah-Hartman
2022-01-14 17:43 ` [PATCH 5.15 00/41] 5.15.15-rc1 review Naresh Kamboju
2022-01-14 18:09 ` Jon Hunter
2022-01-14 19:59 ` Ron Economos
2022-01-15  8:14   ` Greg Kroah-Hartman
2022-01-15 11:52     ` Ron Economos
2022-01-15 12:15       ` Greg Kroah-Hartman
2022-01-15 12:31         ` Ron Economos
2022-01-14 22:29 ` Florian Fainelli
2022-01-14 23:32 ` Fox Chen
2022-01-15  0:24 ` Shuah Khan
2022-01-15 11:03 ` Sudip Mukherjee
2022-01-15 14:47 ` Andrei Rabusov
2022-01-15 16:39 ` Guenter Roeck
2022-01-15 16:48 ` Jeffrin Jose T

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220114081545.932563648@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=quic_kvalo@quicinc.com \
    --cc=stable@vger.kernel.org \
    --cc=sven@narfation.org \
    --subject='Re: [PATCH 5.15 23/41] ath11k: Fix buffer overflow when scanning with extraie' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.