* [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n
@ 2020-06-23 22:11 Zekun Shen
2020-07-15 15:26 ` Kalle Valo
2020-07-20 17:10 ` Kalle Valo
0 siblings, 2 replies; 3+ messages in thread
From: Zekun Shen @ 2020-06-23 22:11 UTC (permalink / raw)
Cc: security, netdev, linux-wireless, linux-kernel, ath10k,
Zekun Shen, Jakub Kicinski, David S. Miller, Kalle Valo
The idx in __ath10k_htt_rx_ring_fill_n function lives in
consistent dma region writable by the device. Malfunctional
or malicious device could manipulate such idx to have a OOB
write. Either by
htt->rx_ring.netbufs_ring[idx] = skb;
or by
ath10k_htt_set_paddrs_ring(htt, paddr, idx);
The idx can also be negative as it's signed, giving a large
memory space to write to.
It's possibly exploitable by corruptting a legit pointer with
a skb pointer. And then fill skb with payload as rougue object.
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
---
Part of the log here. Sometimes it appears as UAF when writing
to a freed memory by chance.
[ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
[ 15.595483] #PF: supervisor write access in kernel mode
[ 15.596250] #PF: error_code(0x0002) - not-present page
[ 15.597013] PGD 0 P4D 0
[ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
[ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
[ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
[ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
(linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index d787cbead..4e411b33a 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -142,6 +142,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num)
BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2);
idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr);
+
+ if (idx < 0 || idx >= htt->rx_ring.size) {
+ ath10k_err(htt->ar, "idx OOB, firmware malfunctioning?\n");
+ idx &= htt->rx_ring.size_mask;
+ ret = -ENOMEM;
+ goto fail;
+ }
+
while (num > 0) {
skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN);
if (!skb) {
--
2.17.1
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n
2020-06-23 22:11 [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n Zekun Shen
@ 2020-07-15 15:26 ` Kalle Valo
2020-07-20 17:10 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2020-07-15 15:26 UTC (permalink / raw)
To: Zekun Shen
Cc: security, netdev, linux-wireless, linux-kernel, ath10k,
Jakub Kicinski, David S. Miller
Zekun Shen <bruceshenzk@gmail.com> writes:
> The idx in __ath10k_htt_rx_ring_fill_n function lives in
> consistent dma region writable by the device. Malfunctional
> or malicious device could manipulate such idx to have a OOB
> write. Either by
> htt->rx_ring.netbufs_ring[idx] = skb;
> or by
> ath10k_htt_set_paddrs_ring(htt, paddr, idx);
>
> The idx can also be negative as it's signed, giving a large
> memory space to write to.
>
> It's possibly exploitable by corruptting a legit pointer with
> a skb pointer. And then fill skb with payload as rougue object.
>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
> ---
> Part of the log here. Sometimes it appears as UAF when writing
> to a freed memory by chance.
>
> [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
> [ 15.595483] #PF: supervisor write access in kernel mode
> [ 15.596250] #PF: error_code(0x0002) - not-present page
> [ 15.597013] PGD 0 P4D 0
> [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
> [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
> [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
> [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
> (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
I added the log to the commit log as it looks useful.
Also I made minor changes to the title and to the error message.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n
2020-06-23 22:11 [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n Zekun Shen
2020-07-15 15:26 ` Kalle Valo
@ 2020-07-20 17:10 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2020-07-20 17:10 UTC (permalink / raw)
To: Zekun Shen
Cc: security, netdev, linux-wireless, linux-kernel, ath10k,
Jakub Kicinski, David S. Miller
Zekun Shen <bruceshenzk@gmail.com> wrote:
> The idx in __ath10k_htt_rx_ring_fill_n function lives in
> consistent dma region writable by the device. Malfunctional
> or malicious device could manipulate such idx to have a OOB
> write. Either by
> htt->rx_ring.netbufs_ring[idx] = skb;
> or by
> ath10k_htt_set_paddrs_ring(htt, paddr, idx);
>
> The idx can also be negative as it's signed, giving a large
> memory space to write to.
>
> It's possibly exploitable by corruptting a legit pointer with
> a skb pointer. And then fill skb with payload as rougue object.
>
> Part of the log here. Sometimes it appears as UAF when writing
> to a freed memory by chance.
>
> [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
> [ 15.595483] #PF: supervisor write access in kernel mode
> [ 15.596250] #PF: error_code(0x0002) - not-present page
> [ 15.597013] PGD 0 P4D 0
> [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
> [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
> [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
> [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
> (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
bad60b8d1a71 ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
--
https://patchwork.kernel.org/patch/11621899/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-20 17:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-23 22:11 [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n Zekun Shen
2020-07-15 15:26 ` Kalle Valo
2020-07-20 17:10 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).