[PATCH resend] airo: Fix read overflow in mpi_send_packet()

[PATCH resend] airo: Fix read overflow in mpi_send_packet()

[Dan Carpenter]

The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
overflow.

The fix for is to pad skb->data with zeroes so that it's never less than
ETH_ZLEN bytes.

c: <stable@vger.kernel.org>
Reported-by: Hu Jiahui <kirin.say@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Resending to the public lists so that it can go through the normal
review process.

My other concern with this driver is why is the ->max_mtu 2400 when it
looks like we are allocating PKTSIZE (1840) byte buffers to hold it in
mpi_map_card()?  I don't fully understand the code but that seems like
it could be a buffer overflow as well.  I'm not sure what the
appropriate fix is for that.

 drivers/net/wireless/cisco/airo.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
index 8363f91df7ea7..7c5634f72cc72 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -1925,6 +1925,11 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!",__func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb->len < ETH_ZLEN) {
+		if (skb_padto(skb, ETH_ZLEN))
+			return NETDEV_TX_OK;
+	}
+
 	npacks = skb_queue_len (&ai->txq);
 
 	if (npacks >= MAXTXQ - 1) {
@@ -1975,8 +1980,7 @@ static int mpi_send_packet (struct net_device *dev)
 		return 0;
 	}
 
-	/* check min length*/
-	len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
+	len = skb->len;
 	buffer = skb->data;
 
 	ai->txfids[0].tx_desc.offset = 0;
-- 
2.26.2

Re: [PATCH resend] airo: Fix read overflow in mpi_send_packet()

[Eric Dumazet]

On Wed, May 27, 2020 at 6:37 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
> skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
> overflow.
>
> The fix for is to pad skb->data with zeroes so that it's never less than
> ETH_ZLEN bytes.
>
> c: <stable@vger.kernel.org>
> Reported-by: Hu Jiahui <kirin.say@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Resending to the public lists so that it can go through the normal
> review process.
>
> My other concern with this driver is why is the ->max_mtu 2400 when it
> looks like we are allocating PKTSIZE (1840) byte buffers to hold it in
> mpi_map_card()?  I don't fully understand the code but that seems like
> it could be a buffer overflow as well.  I'm not sure what the
> appropriate fix is for that.
>
>  drivers/net/wireless/cisco/airo.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
> index 8363f91df7ea7..7c5634f72cc72 100644
> --- a/drivers/net/wireless/cisco/airo.c
> +++ b/drivers/net/wireless/cisco/airo.c
> @@ -1925,6 +1925,11 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
>                 airo_print_err(dev->name, "%s: skb == NULL!",__func__);
>                 return NETDEV_TX_OK;
>         }
> +       if (skb->len < ETH_ZLEN) {

No need to duplicate the test.

Just use

       if (skb_padto(skb, ETH_ZLEN)) {
              dev->stats.tx_dropped++;
              return NETDEV_TX_OK;
       }

> +               if (skb_padto(skb, ETH_ZLEN))
> +                       return NETDEV_TX_OK;
> +       }
> +
>         npacks = skb_queue_len (&ai->txq);
>
>         if (npacks >= MAXTXQ - 1) {
> @@ -1975,8 +1980,7 @@ static int mpi_send_packet (struct net_device *dev)
>                 return 0;
>         }
>
> -       /* check min length*/
> -       len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
> +       len = skb->len;
>         buffer = skb->data;
>
>         ai->txfids[0].tx_desc.offset = 0;
> --
> 2.26.2

[PATCH v2] airo: Fix read overflows sending packets

[Dan Carpenter]

The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
overflow.

The fix is to pad skb->data with zeroes so that it's never less than
ETH_ZLEN bytes.

Cc: <stable@vger.kernel.org>
Reported-by: Hu Jiahui <kirin.say@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: remove an unnecessary if statement
    increment the ->tx_dropped count on failure
    fix found two more instances of the same bug.
    fix typo in the "Cc: <stable@vger.kernel.org>" tag

 drivers/net/wireless/cisco/airo.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
index 8363f91df7ea..c80712e61ccf 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -1925,6 +1925,11 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!",__func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
+
 	npacks = skb_queue_len (&ai->txq);
 
 	if (npacks >= MAXTXQ - 1) {
@@ -1975,8 +1980,7 @@ static int mpi_send_packet (struct net_device *dev)
 		return 0;
 	}
 
-	/* check min length*/
-	len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
+	len = skb->len;
 	buffer = skb->data;
 
 	ai->txfids[0].tx_desc.offset = 0;
@@ -2118,7 +2122,6 @@ static void airo_end_xmit(struct net_device *dev) {
 static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
 					 struct net_device *dev)
 {
-	s16 len;
 	int i, j;
 	struct airo_info *priv = dev->ml_priv;
 	u32 *fids = priv->fids;
@@ -2127,6 +2130,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
 
 	/* Find a vacant FID */
 	for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
@@ -2140,10 +2147,8 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
 			return NETDEV_TX_BUSY;
 		}
 	}
-	/* check min length*/
-	len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
         /* Mark fid as used & save length for later */
-	fids[i] |= (len << 16);
+	fids[i] |= (skb->len << 16);
 	priv->xmit.skb = skb;
 	priv->xmit.fid = i;
 	if (down_trylock(&priv->sem) != 0) {
@@ -2185,7 +2190,6 @@ static void airo_end_xmit11(struct net_device *dev) {
 static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
 					   struct net_device *dev)
 {
-	s16 len;
 	int i, j;
 	struct airo_info *priv = dev->ml_priv;
 	u32 *fids = priv->fids;
@@ -2201,6 +2205,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
 
 	/* Find a vacant FID */
 	for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
@@ -2214,10 +2222,8 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
 			return NETDEV_TX_BUSY;
 		}
 	}
-	/* check min length*/
-	len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
         /* Mark fid as used & save length for later */
-	fids[i] |= (len << 16);
+	fids[i] |= (skb->len << 16);
 	priv->xmit11.skb = skb;
 	priv->xmit11.fid = i;
 	if (down_trylock(&priv->sem) != 0) {
-- 
2.11.0

Re: [PATCH v2] airo: Fix read overflows sending packets

[Eric Dumazet]

On Wed, May 27, 2020 at 10:58 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
> skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
> overflow.
>
> The fix is to pad skb->data with zeroes so that it's never less than
> ETH_ZLEN bytes.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: Hu Jiahui <kirin.say@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: remove an unnecessary if statement
>     increment the ->tx_dropped count on failure
>     fix found two more instances of the same bug.
>     fix typo in the "Cc: <stable@vger.kernel.org>" tag
>
>  drivers/net/wireless/cisco/airo.c | 26 ++++++++++++++++----------
>  1 file changed, 16 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
> index 8363f91df7ea..c80712e61ccf 100644
> --- a/drivers/net/wireless/cisco/airo.c
> +++ b/drivers/net/wireless/cisco/airo.c
> @@ -1925,6 +1925,11 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
>                 airo_print_err(dev->name, "%s: skb == NULL!",__func__);
>                 return NETDEV_TX_OK;
>         }
> +       if (skb_padto(skb, ETH_ZLEN)) {
> +               dev->stats.tx_dropped++;
> +               return NETDEV_TX_OK;
> +       }
> +
>         npacks = skb_queue_len (&ai->txq);
>
>         if (npacks >= MAXTXQ - 1) {
> @@ -1975,8 +1980,7 @@ static int mpi_send_packet (struct net_device *dev)
>                 return 0;
>         }
>
> -       /* check min length*/
> -       len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;

Note that skb_padto() does not change skb->len

So this patch could trigger a hardware bug.

> +       len = skb->len;
>         buffer = skb->data;
>
>         ai->txfids[0].tx_desc.offset = 0;
> @@ -2118,7 +2122,6 @@ static void airo_end_xmit(struct net_device *dev) {
>  static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
>                                          struct net_device *dev)
>  {
> -       s16 len;
>         int i, j;
>         struct airo_info *priv = dev->ml_priv;
>         u32 *fids = priv->fids;
> @@ -2127,6 +2130,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
>                 airo_print_err(dev->name, "%s: skb == NULL!", __func__);
>                 return NETDEV_TX_OK;
>         }
> +       if (skb_padto(skb, ETH_ZLEN)) {
> +               dev->stats.tx_dropped++;
> +               return NETDEV_TX_OK;
> +       }
>
>         /* Find a vacant FID */
>         for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
> @@ -2140,10 +2147,8 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
>                         return NETDEV_TX_BUSY;
>                 }
>         }
> -       /* check min length*/
> -       len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
>          /* Mark fid as used & save length for later */
> -       fids[i] |= (len << 16);
> +       fids[i] |= (skb->len << 16);
>         priv->xmit.skb = skb;
>         priv->xmit.fid = i;
>         if (down_trylock(&priv->sem) != 0) {
> @@ -2185,7 +2190,6 @@ static void airo_end_xmit11(struct net_device *dev) {
>  static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
>                                            struct net_device *dev)
>  {
> -       s16 len;
>         int i, j;
>         struct airo_info *priv = dev->ml_priv;
>         u32 *fids = priv->fids;
> @@ -2201,6 +2205,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
>                 airo_print_err(dev->name, "%s: skb == NULL!", __func__);
>                 return NETDEV_TX_OK;
>         }
> +       if (skb_padto(skb, ETH_ZLEN)) {
> +               dev->stats.tx_dropped++;
> +               return NETDEV_TX_OK;
> +       }
>
>         /* Find a vacant FID */
>         for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
> @@ -2214,10 +2222,8 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
>                         return NETDEV_TX_BUSY;
>                 }
>         }
> -       /* check min length*/
> -       len = ETH_ZLEN < skb->len ? skb->len : ETH_ZLEN;
>          /* Mark fid as used & save length for later */
> -       fids[i] |= (len << 16);
> +       fids[i] |= (skb->len << 16);
>         priv->xmit11.skb = skb;
>         priv->xmit11.fid = i;
>         if (down_trylock(&priv->sem) != 0) {
> --
> 2.11.0
>

[PATCH v3] airo: Fix read overflows sending packets

[Dan Carpenter]

The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
overflow.

The fix is to pad skb->data to at least ETH_ZLEN bytes.

Cc: <stable@vger.kernel.org>
Reported-by: Hu Jiahui <kirin.say@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: remove an unnecessary if statement
    increment the ->tx_dropped count on failure
    fix found two more instances of the same bug.
    fix typo in the "Cc: <stable@vger.kernel.org>" tag
v3: I had thought that skb_padto() updated skb->len so that it would
    always be more than ETH_ZLEN meaning that we could delete the checks
    for smaller values:  "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;"
    But I was wrong and those are still required.

 drivers/net/wireless/cisco/airo.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
index 8363f91df7ea7..827bb6d74815a 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -1925,6 +1925,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!",__func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
 	npacks = skb_queue_len (&ai->txq);
 
 	if (npacks >= MAXTXQ - 1) {
@@ -2127,6 +2131,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
 
 	/* Find a vacant FID */
 	for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
@@ -2201,6 +2209,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
 		return NETDEV_TX_OK;
 	}
+	if (skb_padto(skb, ETH_ZLEN)) {
+		dev->stats.tx_dropped++;
+		return NETDEV_TX_OK;
+	}
 
 	/* Find a vacant FID */
 	for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
-- 
2.26.2

Re: [PATCH v3] airo: Fix read overflows sending packets

[Sasha Levin]

Hi

[This is an automated email]

This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all

The bot has tested the following trees: v5.6.14, v5.4.42, v4.19.124, v4.14.181, v4.9.224, v4.4.224.

v5.6.14: Build OK!
v5.4.42: Build OK!
v4.19.124: Build OK!
v4.14.181: Build OK!
v4.9.224: Build OK!
v4.4.224: Failed to apply! Possible dependencies:
    Unable to calculate


NOTE: The patch will not be queued to stable trees until it is upstream.

How should we proceed with this patch?

-- 
Thanks
Sasha

Re: [PATCH v3] airo: Fix read overflows sending packets

[Eric Dumazet]

On Wed, May 27, 2020 at 11:48 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
> skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
> overflow.
>
> The fix is to pad skb->data to at least ETH_ZLEN bytes.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: Hu Jiahui <kirin.say@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: remove an unnecessary if statement
>     increment the ->tx_dropped count on failure
>     fix found two more instances of the same bug.
>     fix typo in the "Cc: <stable@vger.kernel.org>" tag
> v3: I had thought that skb_padto() updated skb->len so that it would
>     always be more than ETH_ZLEN meaning that we could delete the checks
>     for smaller values:  "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;"
>     But I was wrong and those are still required.
>
>  drivers/net/wireless/cisco/airo.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>

Reviewed-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH v3] airo: Fix read overflows sending packets

[Kalle Valo]

Dan Carpenter <dan.carpenter@oracle.com> wrote:

> The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
> skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
> overflow.
> 
> The fix is to pad skb->data to at least ETH_ZLEN bytes.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: Hu Jiahui <kirin.say@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Eric Dumazet <edumazet@google.com>

Patch applied to wireless-drivers-next.git, thanks.

11e7a91994c2 airo: Fix read overflows sending packets

-- 
https://patchwork.kernel.org/patch/11573765/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches