From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Maya Erez <merez@codeaurora.org>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, wil6210@qti.qualcomm.com,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.1 005/219] wil6210: fix potential out-of-bounds read
Date: Mon, 15 Jul 2019 09:34:37 -0400 [thread overview]
Message-ID: <20190715133811.2441-5-sashal@kernel.org> (raw)
In-Reply-To: <20190715133811.2441-1-sashal@kernel.org>
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
[ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ]
Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h:
enum gro_result {
GRO_MERGED,
GRO_MERGED_FREE,
GRO_HELD,
GRO_NORMAL,
GRO_DROP,
GRO_CONSUMED,
};
typedef enum gro_result gro_result_t;
In case *rc* evaluates to 5, we end up having an out-of-bounds read
at drivers/net/wireless/ath/wil6210/txrx.c:821:
wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n",
len, gro_res_str[rc]);
Fix this by adding element "GRO_CONSUMED" to array gro_res_str.
Addresses-Coverity-ID: 1444666 ("Out-of-bounds read")
Fixes: 194b482b5055 ("wil6210: Debug print GRO Rx result")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/wil6210/txrx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index 4ccfd1404458..d74837cce67f 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -750,6 +750,7 @@ void wil_netif_rx_any(struct sk_buff *skb, struct net_device *ndev)
[GRO_HELD] = "GRO_HELD",
[GRO_NORMAL] = "GRO_NORMAL",
[GRO_DROP] = "GRO_DROP",
+ [GRO_CONSUMED] = "GRO_CONSUMED",
};
wil->txrx_ops.get_netif_rx_params(skb, &cid, &security);
--
2.20.1
next prev parent reply other threads:[~2019-07-15 13:42 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 13:34 [PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 002/219] ath10k: htt: don't use txdone_fifo with SDIO Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 003/219] ath10k: fix incorrect multicast/broadcast rate setting Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 004/219] ath9k: Don't trust TX status TID number when reporting airtime Sasha Levin
2019-07-15 13:34 ` Sasha Levin [this message]
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 006/219] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 007/219] spi: rockchip: turn down tx dma bursts Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 008/219] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 009/219] ath10k: Fix the wrong value of enums for wmi tlv stats id Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 010/219] wil6210: fix missed MISC mbox interrupt Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 011/219] ath6kl: add some bounds checking Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 012/219] ath10k: add peer id check in ath10k_peer_find_by_id Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 013/219] x86/tsc: Use CPUID.0x16 to calculate missing crystal frequency Sasha Levin
2019-07-16 2:56 ` Daniel Drake
2019-07-22 0:39 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 014/219] wil6210: fix spurious interrupts in 3-msi Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 015/219] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 016/219] ath10k: Fix encoding for protected management frames Sasha Levin
2019-07-15 13:34 ` Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 017/219] regmap: debugfs: Fix memory leak in regmap_debugfs_init Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 018/219] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 019/219] media: dvb: usb: fix use after free in dvb_usb_device_exit Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 020/219] media: spi: IR LED: add missing of table registration Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 021/219] crypto: talitos - fix skcipher failure due to wrong output IV Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 022/219] media: ov7740: avoid invalid framesize setting Sasha Levin
2019-07-15 13:34 ` [PATCH AUTOSEL 5.1 023/219] media: marvell-ccic: fix DMA s/g desc number calculation Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2019-07-15 14:00 [PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 005/219] wil6210: fix potential out-of-bounds read Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715133811.2441-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gustavo@embeddedor.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=merez@codeaurora.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wil6210@qti.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.