From: kbuild test robot <lkp@intel.com>
To: huangwenabc@gmail.com
Cc: kbuild-all@lists.01.org, linux-wireless@vger.kernel.org,
linux-distros@vs.openwall.org, security@kernel.org,
libertas-dev@lists.infradead.org
Subject: Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
Date: Sun, 24 Nov 2019 15:52:03 +0800 [thread overview]
Message-ID: <201911241536.lyRxx5Oc%lkp@intel.com> (raw)
In-Reply-To: <20191122052917.11309-1-huangwenabc@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 15322 bytes --]
Hi,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on wireless-drivers-next/master]
[also build test WARNING on v5.4-rc8 next-20191122]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/huangwenabc-gmail-com/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor/20191124-142236
base: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git master
config: sh-allmodconfig (attached as .config)
compiler: sh4-linux-gcc (GCC) 7.4.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=7.4.0 make.cross ARCH=sh
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
drivers/net/wireless/marvell/libertas/cfg.c: In function 'lbs_ibss_join_existing':
>> drivers/net/wireless/marvell/libertas/cfg.c:1788:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
u8 *rates = cmd.bss.rates;
^~
vim +1788 drivers/net/wireless/marvell/libertas/cfg.c
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1715
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1716 static int lbs_ibss_join_existing(struct lbs_private *priv,
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1717 struct cfg80211_ibss_params *params,
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1718 struct cfg80211_bss *bss)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1719 {
9caf03640279e6 drivers/net/wireless/libertas/cfg.c Johannes Berg 2012-11-29 1720 const u8 *rates_eid;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1721 struct cmd_ds_802_11_ad_hoc_join cmd;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1722 u8 preamble = RADIO_PREAMBLE_SHORT;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1723 int ret = 0;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1724
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1725 /* TODO: set preamble based on scan result */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1726 ret = lbs_set_radio(priv, preamble, 1);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1727 if (ret)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1728 goto out;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1729
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1730 /*
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1731 * Example CMD_802_11_AD_HOC_JOIN command:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1732 *
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1733 * command 2c 00 CMD_802_11_AD_HOC_JOIN
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1734 * size 65 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1735 * sequence xx xx
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1736 * result 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1737 * bssid 02 27 27 97 2f 96
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1738 * ssid 49 42 53 53 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1739 * 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1740 * 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1741 * 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1742 * type 02 CMD_BSS_TYPE_IBSS
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1743 * beacon period 64 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1744 * dtim period 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1745 * timestamp 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1746 * localtime 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1747 * IE DS 03
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1748 * IE DS len 01
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1749 * IE DS channel 01
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1750 * reserveed 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1751 * IE IBSS 06
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1752 * IE IBSS len 02
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1753 * IE IBSS atim 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1754 * reserved 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1755 * capability 02 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1756 * rates 82 84 8b 96 0c 12 18 24 30 48 60 6c 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1757 * fail timeout ff 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1758 * probe delay 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1759 */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1760 memset(&cmd, 0, sizeof(cmd));
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1761 cmd.hdr.size = cpu_to_le16(sizeof(cmd));
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1762
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1763 memcpy(cmd.bss.bssid, bss->bssid, ETH_ALEN);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1764 memcpy(cmd.bss.ssid, params->ssid, params->ssid_len);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1765 cmd.bss.type = CMD_BSS_TYPE_IBSS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1766 cmd.bss.beaconperiod = cpu_to_le16(params->beacon_interval);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1767 cmd.bss.ds.header.id = WLAN_EID_DS_PARAMS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1768 cmd.bss.ds.header.len = 1;
683b6d3b31a519 drivers/net/wireless/libertas/cfg.c Johannes Berg 2012-11-08 1769 cmd.bss.ds.channel = params->chandef.chan->hw_value;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1770 cmd.bss.ibss.header.id = WLAN_EID_IBSS_PARAMS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1771 cmd.bss.ibss.header.len = 2;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1772 cmd.bss.ibss.atimwindow = 0;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1773 cmd.bss.capability = cpu_to_le16(bss->capability & CAPINFO_MASK);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1774
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1775 /* set rates to the intersection of our rates and the rates in the
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1776 bss */
9caf03640279e6 drivers/net/wireless/libertas/cfg.c Johannes Berg 2012-11-29 1777 rcu_read_lock();
9caf03640279e6 drivers/net/wireless/libertas/cfg.c Johannes Berg 2012-11-29 1778 rates_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1779 if (!rates_eid) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1780 lbs_add_rates(cmd.bss.rates);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1781 } else {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1782 int hw, i;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1783 u8 rates_max = rates_eid[1];
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang 2019-11-22 1784 if (rates_max > MAX_RATES) {
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang 2019-11-22 1785 lbs_deb_join("invalid rates");
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang 2019-11-22 1786 goto out;
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang 2019-11-22 1787 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 @1788 u8 *rates = cmd.bss.rates;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1789 for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1790 u8 hw_rate = lbs_rates[hw].bitrate / 5;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1791 for (i = 0; i < rates_max; i++) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1792 if (hw_rate == (rates_eid[i+2] & 0x7f)) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1793 u8 rate = rates_eid[i+2];
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1794 if (rate == 0x02 || rate == 0x04 ||
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1795 rate == 0x0b || rate == 0x16)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1796 rate |= 0x80;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1797 *rates++ = rate;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1798 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1799 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1800 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1801 }
9caf03640279e6 drivers/net/wireless/libertas/cfg.c Johannes Berg 2012-11-29 1802 rcu_read_unlock();
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1803
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1804 /* Only v8 and below support setting this */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1805 if (MRVL_FW_MAJOR_REV(priv->fwrelease) <= 8) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1806 cmd.failtimeout = cpu_to_le16(MRVDRV_ASSOCIATION_TIME_OUT);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1807 cmd.probedelay = cpu_to_le16(CMD_SCAN_PROBE_DELAY_TIME);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1808 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1809 ret = lbs_cmd_with_response(priv, CMD_802_11_AD_HOC_JOIN, &cmd);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1810 if (ret)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1811 goto out;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1812
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1813 /*
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1814 * This is a sample response to CMD_802_11_AD_HOC_JOIN:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1815 *
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1816 * response 2c 80
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1817 * size 09 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1818 * sequence xx xx
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1819 * result 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1820 * reserved 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1821 */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1822 lbs_join_post(priv, params, bss->bssid, bss->capability);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1823
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1824 out:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1825 return ret;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1826 }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c Kiran Divekar 2010-06-14 1827
:::::: The code at line 1788 was first introduced by commit
:::::: e86dc1ca4676445d9f0dfe35104efe0eb8a2f566 Libertas: cfg80211 support
:::::: TO: Kiran Divekar <dkiran@marvell.com>
:::::: CC: John W. Linville <linville@tuxdriver.com>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 52274 bytes --]
next prev parent reply other threads:[~2019-11-24 7:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-22 5:29 [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor huangwenabc
2019-11-24 7:52 ` kbuild test robot [this message]
2019-11-25 12:36 ` Kalle Valo
[not found] ` <0101016ea290854e-f5721fd1-1ca7-49ab-9c10-85277bc46c64-000000@us-west-2.amazonses.com>
2019-11-25 14:29 ` [kbuild-all] " Philip Li
2019-11-27 18:23 ` Guenter Roeck
2019-11-28 1:53 ` Rong Chen
2020-03-24 15:19 ` Kalle Valo
2019-11-28 8:00 ` Kalle Valo
[not found] ` <0101016eb106d678-62ccf480-a650-47f2-87b3-cb5a03deb013-000000@us-west-2.amazonses.com>
[not found] ` <CADt2dQfbnk5WgDk=oeWjE1tziCEem-3fhhA68Pmr_fo0pZ_V=g@mail.gmail.com>
2019-11-28 11:54 ` Kalle Valo
2020-01-09 14:12 ` Nicolai Stange
2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43 ` Kalle Valo
2020-01-15 6:21 ` Nicolai Stange
2020-01-26 15:14 ` Kalle Valo
2020-01-27 14:37 ` Kalle Valo
2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
2020-01-14 13:44 ` Kalle Valo
2019-11-28 10:51 [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor huangwenabc
2019-12-18 18:52 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201911241536.lyRxx5Oc%lkp@intel.com \
--to=lkp@intel.com \
--cc=huangwenabc@gmail.com \
--cc=kbuild-all@lists.01.org \
--cc=libertas-dev@lists.infradead.org \
--cc=linux-distros@vs.openwall.org \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).