* [PATCH] wifi: mt7601u: fix an integer underflow
@ 2022-12-29 9:29 Jisoo Jang
2022-12-30 1:18 ` Jakub Kicinski
2023-01-16 16:23 ` Kalle Valo
0 siblings, 2 replies; 3+ messages in thread
From: Jisoo Jang @ 2022-12-29 9:29 UTC (permalink / raw)
To: kuba, linux-wireless; +Cc: linuxlovemin, dokyungs
Fix an integer underflow that leads to a null pointer dereference in
'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
could be manipulated, which could trigger an integer underflow of
'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
bypassed, eventually leading to a dereference of the pointer 'p', which
is a null pointer.
Ensure that 'dma_len' is greater than 'min_seg_len'.
Found by a modified version of syzkaller.
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+
#139
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
mt7601u_rx_tasklet+0xc73/0x1270
? mt7601u_submit_rx_buf.isra.0+0x510/0x510
? tasklet_action_common.isra.0+0x79/0x2f0
tasklet_action_common.isra.0+0x206/0x2f0
__do_softirq+0x1b5/0x880
? tasklet_unlock+0x30/0x30
run_ksoftirqd+0x26/0x50
smpboot_thread_fn+0x34f/0x7d0
? smpboot_register_percpu_thread+0x370/0x370
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 57f34f93b4da0f9b ]---
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
---
drivers/net/wireless/mediatek/mt7601u/dma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
index 457147394edc..773a1cc2f852 100644
--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
+++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
@@ -123,7 +123,8 @@ static u16 mt7601u_rx_next_seg_len(u8 *data, u32 data_len)
if (data_len < min_seg_len ||
WARN_ON_ONCE(!dma_len) ||
WARN_ON_ONCE(dma_len + MT_DMA_HDRS > data_len) ||
- WARN_ON_ONCE(dma_len & 0x3))
+ WARN_ON_ONCE(dma_len & 0x3) ||
+ WARN_ON_ONCE(dma_len < min_seg_len))
return 0;
return MT_DMA_HDRS + dma_len;
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: mt7601u: fix an integer underflow
2022-12-29 9:29 [PATCH] wifi: mt7601u: fix an integer underflow Jisoo Jang
@ 2022-12-30 1:18 ` Jakub Kicinski
2023-01-16 16:23 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Jakub Kicinski @ 2022-12-30 1:18 UTC (permalink / raw)
To: Jisoo Jang; +Cc: linux-wireless, linuxlovemin, dokyungs
On Thu, 29 Dec 2022 18:29:06 +0900 Jisoo Jang wrote:
> Fix an integer underflow that leads to a null pointer dereference in
> 'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
> could be manipulated, which could trigger an integer underflow of
> 'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
> causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
> bypassed, eventually leading to a dereference of the pointer 'p', which
> is a null pointer.
>
> Ensure that 'dma_len' is greater than 'min_seg_len'.
Acked-by: Jakub Kicinski <kuba@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: mt7601u: fix an integer underflow
2022-12-29 9:29 [PATCH] wifi: mt7601u: fix an integer underflow Jisoo Jang
2022-12-30 1:18 ` Jakub Kicinski
@ 2023-01-16 16:23 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2023-01-16 16:23 UTC (permalink / raw)
To: Jisoo Jang; +Cc: kuba, linux-wireless, linuxlovemin, dokyungs
Jisoo Jang <jisoo.jang@yonsei.ac.kr> wrote:
> Fix an integer underflow that leads to a null pointer dereference in
> 'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
> could be manipulated, which could trigger an integer underflow of
> 'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
> causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
> bypassed, eventually leading to a dereference of the pointer 'p', which
> is a null pointer.
>
> Ensure that 'dma_len' is greater than 'min_seg_len'.
>
> Found by a modified version of syzkaller.
>
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+
> #139
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> RIP: 0010:skb_add_rx_frag+0x143/0x370
> Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
> 89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
> RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
> RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
> R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
> R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
> FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> mt7601u_rx_tasklet+0xc73/0x1270
> ? mt7601u_submit_rx_buf.isra.0+0x510/0x510
> ? tasklet_action_common.isra.0+0x79/0x2f0
> tasklet_action_common.isra.0+0x206/0x2f0
> __do_softirq+0x1b5/0x880
> ? tasklet_unlock+0x30/0x30
> run_ksoftirqd+0x26/0x50
> smpboot_thread_fn+0x34f/0x7d0
> ? smpboot_register_percpu_thread+0x370/0x370
> kthread+0x3a1/0x480
> ? set_kthread_struct+0x120/0x120
> ret_from_fork+0x1f/0x30
> Modules linked in: 88XXau(O) 88x2bu(O)
> ---[ end trace 57f34f93b4da0f9b ]---
> RIP: 0010:skb_add_rx_frag+0x143/0x370
> Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
> 89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
> RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
> RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
> R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
> R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
> FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
>
> Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> Acked-by: Jakub Kicinski <kuba@kernel.org>
Patch applied to wireless-next.git, thanks.
803f3176c5df wifi: mt7601u: fix an integer underflow
--
https://patchwork.kernel.org/project/linux-wireless/patch/20221229092906.2328282-1-jisoo.jang@yonsei.ac.kr/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-16 16:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-29 9:29 [PATCH] wifi: mt7601u: fix an integer underflow Jisoo Jang
2022-12-30 1:18 ` Jakub Kicinski
2023-01-16 16:23 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).