All of lore.kernel.org
 help / color / mirror / Atom feed
From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH v2 36/47] iwlwifi: mvm: validate firmware sync response size
Date: Wed,  9 Dec 2020 23:16:40 +0200	[thread overview]
Message-ID: <iwlwifi.20201209231352.a5a8173f16c7.I4fa68bb2b1c7dcc52ddd381c4042722d27c4a34d@changeid> (raw)
In-Reply-To: <20201209211651.968276-1-luca@coelho.fi>

From: Johannes Berg <johannes.berg@intel.com>

We send some data to the firmware and expect to get it back,
but we shouldn't really trust the firmware on this. Check the
size of all the data we send down to avoid using bad or just
uninitialized data when the firmware doesn't respond right.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index b27aa4760347..e4f73b6cd94c 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -747,10 +747,18 @@ void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct napi_struct *napi,
 	struct iwl_rx_packet *pkt = rxb_addr(rxb);
 	struct iwl_rxq_sync_notification *notif;
 	struct iwl_mvm_internal_rxq_notif *internal_notif;
+	u32 len = iwl_rx_packet_payload_len(pkt);
 
 	notif = (void *)pkt->data;
 	internal_notif = (void *)notif->payload;
 
+	if (WARN_ONCE(len < sizeof(*notif) + sizeof(*internal_notif),
+		      "invalid notification size %d (%d)",
+		      len, (int)(sizeof(*notif) + sizeof(*internal_notif))))
+		return;
+	/* remove only the firmware header, we want all of our payload below */
+	len -= sizeof(*notif);
+
 	if (internal_notif->sync &&
 	    mvm->queue_sync_cookie != internal_notif->cookie) {
 		WARN_ONCE(1, "Received expired RX queue sync message\n");
@@ -759,11 +767,22 @@ void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct napi_struct *napi,
 
 	switch (internal_notif->type) {
 	case IWL_MVM_RXQ_EMPTY:
+		WARN_ONCE(len != sizeof(*internal_notif),
+			  "invalid empty notification size %d (%d)",
+			  len, (int)sizeof(*internal_notif));
 		break;
 	case IWL_MVM_RXQ_NOTIF_DEL_BA:
+		if (WARN_ONCE(len != sizeof(struct iwl_mvm_rss_sync_notif),
+			      "invalid delba notification size %d (%d)",
+			      len, (int)sizeof(struct iwl_mvm_rss_sync_notif)))
+			break;
 		iwl_mvm_del_ba(mvm, queue, (void *)internal_notif->data);
 		break;
 	case IWL_MVM_RXQ_NSSN_SYNC:
+		if (WARN_ONCE(len != sizeof(struct iwl_mvm_rss_sync_notif),
+			      "invalid nssn sync notification size %d (%d)",
+			      len, (int)sizeof(struct iwl_mvm_rss_sync_notif)))
+			break;
 		iwl_mvm_nssn_sync(mvm, napi, queue,
 				  (void *)internal_notif->data);
 		break;
-- 
2.29.2


  parent reply	other threads:[~2020-12-09 21:22 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-09 21:16 [PATCH v2 00/47] iwlwifi: final patches for v5.11 2020-12-09 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 01/47] iwlwifi: remove all queue resources before free Luca Coelho
2020-12-09 22:11   ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 02/47] iwlwifi: yoyo: add the ability to dump phy periphery Luca Coelho
2020-12-09 21:16 ` [PATCH v2 03/47] iwlwifi: yoyo: align the write pointer to DWs Luca Coelho
2020-12-09 21:16 ` [PATCH v2 04/47] iwlwifi: mvm: fix sar profile printing issue Luca Coelho
2020-12-09 21:16 ` [PATCH v2 05/47] iwlwifi: move reclaim flows to the queue file Luca Coelho
2020-12-09 21:16 ` [PATCH v2 06/47] iwlwifi: d3: do not send the WOWLAN_CONFIGURATION command for netdetect Luca Coelho
2020-12-09 21:16 ` [PATCH v2 07/47] iwlwifi: update MAINTAINERS entry Luca Coelho
2020-12-09 21:16 ` [PATCH v2 08/47] iwlwifi: mvm: Init error table memory to zero Luca Coelho
2020-12-09 21:16 ` [PATCH v2 09/47] iwlwifi: mvm: remove the read_nvm from iwl_run_init_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 10/47] iwlwifi: pcie: remove obsolete pre-release support code Luca Coelho
2020-12-09 21:16 ` [PATCH v2 11/47] iwlwifi: copy iwl_he_capa for modifications Luca Coelho
2020-12-09 21:16 ` [PATCH v2 12/47] iwlwifi: mvm: add support for 6GHz Luca Coelho
2020-12-09 22:06   ` [PATCH v3 34/47] " Luca Coelho
2020-12-09 22:12     ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 13/47] iwlwifi: enable sending/setting debug host event Luca Coelho
2020-12-09 22:15   ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 14/47] iwlwifi: avoid endless HW errors at assert time Luca Coelho
2020-12-09 21:16 ` [PATCH v2 15/47] iwlwifi: mvm: remove the read_nvm from iwl_run_unified_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 16/47] iwlwifi: follow the new inclusive terminology Luca Coelho
2020-12-09 21:16 ` [PATCH v2 17/47] iwlwifi: fix typo in comment Luca Coelho
2020-12-09 21:16 ` [PATCH v2 18/47] iwlwifi: sort out the NVM offsets Luca Coelho
2020-12-09 21:16 ` [PATCH v2 19/47] iwlwifi: mvm: iterate active stations when updating statistics Luca Coelho
2020-12-09 21:16 ` [PATCH v2 20/47] iwlwifi: validate MPDU length against notification length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 21/47] iwlwifi: pcie: validate RX descriptor length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 22/47] iwlwifi: remove sw_csum_tx Luca Coelho
2020-12-09 21:16 ` [PATCH v2 23/47] iwlwifi: mvm: clear up iwl_mvm_notify_rx_queue() argument type Luca Coelho
2020-12-09 21:16 ` [PATCH v2 24/47] iwlwifi: mvm: move iwl_mvm_stop_device() out of line Luca Coelho
2020-12-09 21:16 ` [PATCH v2 25/47] iwlwifi: pcie: change 12k A-MSDU config to use 16k buffers Luca Coelho
2020-12-09 21:16 ` [PATCH v2 26/47] iwlwifi: mvm: fix 22000 series driver NMI Luca Coelho
2020-12-09 21:16 ` [PATCH v2 27/47] iwlwifi: mvm: do more useful queue sync accounting Luca Coelho
2020-12-09 21:16 ` [PATCH v2 28/47] iwlwifi: mvm: clean up scan state on failure Luca Coelho
2020-12-09 21:16 ` [PATCH v2 29/47] iwlwifi: pcie: remove MSIX_HW_INT_CAUSES_REG_IML handling Luca Coelho
2020-12-09 21:16 ` [PATCH v2 30/47] iwlwifi: fw: file: fix documentation for SAR flag Luca Coelho
2020-12-09 21:16 ` [PATCH v2 31/47] iwlwifi: pcie: remove unnecessary setting of inta_mask Luca Coelho
2020-12-09 21:16 ` [PATCH v2 32/47] iwlwifi: trans: consider firmware dead after errors Luca Coelho
2020-12-09 21:16 ` [PATCH v2 33/47] iwlwifi: dbg-tlv: fix old length in is_trig_data_contained() Luca Coelho
2020-12-09 21:16 ` [PATCH v2 34/47] iwlwifi: use SPDX tags Luca Coelho
2020-12-09 22:06   ` [PATCH v3 " Luca Coelho
2020-12-09 22:15     ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 35/47] iwlwifi: pcie: clean up some rx code Luca Coelho
2020-12-09 22:16   ` Luca Coelho
2020-12-09 21:16 ` Luca Coelho [this message]
2020-12-09 21:16 ` [PATCH v2 37/47] iwlwifi: mvm: fix a race in CSA that caused assert 0x3420 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 38/47] iwlwifi: add an extra firmware state in the transport Luca Coelho
2020-12-09 21:16 ` [PATCH v2 39/47] iwlwifi: support firmware reset handshake Luca Coelho
2020-12-09 21:16 ` [PATCH v2 40/47] iwlwifi: mvm: disconnect if channel switch delay is too long Luca Coelho
2020-12-09 21:16 ` [PATCH v2 41/47] iwlwifi: Add a new card for MA family Luca Coelho
2020-12-09 21:16 ` [PATCH v2 42/47] iwlwifi: tighten RX MPDU bounds checks Luca Coelho
2020-12-09 21:16 ` [PATCH v2 43/47] iwlwifi: mvm: hook up missing RX handlers Luca Coelho
2020-12-09 21:16 ` [PATCH v2 44/47] iwlwifi: mvm: add size checks for range response notification Luca Coelho
2020-12-09 21:16 ` [PATCH v2 45/47] iwlwifi: mvm: check that statistics TLV version match struct version Luca Coelho
2020-12-09 21:16 ` [PATCH v2 46/47] iwlwifi: mvm: purge the BSS table upon firmware load Luca Coelho
2020-12-09 21:16 ` [PATCH v2 47/47] iwlwifi: mvm: validate notification size when waiting Luca Coelho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=iwlwifi.20201209231352.a5a8173f16c7.I4fa68bb2b1c7dcc52ddd381c4042722d27c4a34d@changeid \
    --to=luca@coelho.fi \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --subject='Re: [PATCH v2 36/47] iwlwifi: mvm: validate firmware sync response size' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.