From: Sid Hayn <sidhayn@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Johannes Berg <johannes.berg@intel.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] mac80211: fix radiotap header generation
Date: Tue, 9 Nov 2021 11:13:26 -0500 [thread overview]
Message-ID: <CAM0KTbAHBkpdfK2DxnhbxvaqQYHJEF-iY7Nnt1___PUHk8y0Lg@mail.gmail.com> (raw)
In-Reply-To: <20211109100203.c61007433ed6.I1dade57aba7de9c4f48d68249adbae62636fd98c@changeid>
Please add my tested-by as well. I tested with and without this patch
on multiple chipsets and everything appears functional now. Thanks
for the quick fix!
Tested-by: Sid Hayn <sidhayn@gmail.com>
On Tue, Nov 9, 2021 at 4:02 AM Johannes Berg <johannes@sipsolutions.net> wrote:
>
> From: Johannes Berg <johannes.berg@intel.com>
>
> In commit 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header
> bitmap") we accidentally pointed the position to the wrong place, so
> we overwrite a present bitmap, and thus cause all kinds of trouble.
>
> To see the issue, note that the previous code read:
>
> pos = (void *)(it_present + 1);
>
> The requirement now is that we need to calculate pos via it_optional,
> to not trigger the compiler hardening checks, as:
>
> pos = (void *)&rthdr->it_optional[...];
>
> Rewriting the original expression, we get (obviously, since that just
> adds "+ x - x" terms):
>
> pos = (void *)(it_present + 1 + rthdr->it_optional - rthdr->it_optional)
>
> and moving the "+ rthdr->it_optional" outside to be used as an array:
>
> pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional];
>
> The original is off by one, fix it.
>
> Cc: stable@vger.kernel.org
> Fixes: 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header bitmap")
> Reported-by: Sid Hayn <sidhayn@gmail.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
> net/mac80211/rx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
> index fc5c608d02e2..3562730ea0f8 100644
> --- a/net/mac80211/rx.c
> +++ b/net/mac80211/rx.c
> @@ -364,7 +364,7 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
> * the compiler to think we have walked past the end of the
> * struct member.
> */
> - pos = (void *)&rthdr->it_optional[it_present - rthdr->it_optional];
> + pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional];
>
> /* the order of the following fields is important */
>
> --
> 2.31.1
>
next prev parent reply other threads:[~2021-11-09 16:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-09 9:02 [PATCH] mac80211: fix radiotap header generation Johannes Berg
2021-11-09 16:13 ` Sid Hayn [this message]
2021-11-09 17:17 ` Kees Cook
-- strict thread matches above, loose matches on Subject: below --
2009-10-28 8:58 Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM0KTbAHBkpdfK2DxnhbxvaqQYHJEF-iY7Nnt1___PUHk8y0Lg@mail.gmail.com \
--to=sidhayn@gmail.com \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=keescook@chromium.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.