Re: rtw88: Fix array overrun in rtw_get_tx_power_params()

[Kalle Valo <kvalo@codeaurora.org>]

Larry Finger <Larry.Finger@lwfinger.net> wrote:

> From: Ping-Ke Shih <pkshih@realtek.com>
> 
> Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
> following array overrun is logged:
> 
> ================================================================================
> UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34
> index 5 is out of range for type 'u8 [5]'
> CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G           O      5.12.0-rc5-00086-gd88bba47038e-dirty #651
> Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50   09/29/2014
> Workqueue: phy0 ieee80211_scan_work [mac80211]
> Call Trace:
>  dump_stack+0x64/0x7c
>  ubsan_epilogue+0x5/0x40
>  __ubsan_handle_out_of_bounds.cold+0x43/0x48
>  rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]
>  ? rtw_pci_read16+0x20/0x20 [rtw_pci]
>  ? check_hw_ready+0x50/0x90 [rtw_core]
>  rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]
>  rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]
>  rtw_set_channel+0xab/0x110 [rtw_core]
>  rtw_ops_config+0x87/0xc0 [rtw_core]
>  ieee80211_hw_config+0x9d/0x130 [mac80211]
>  ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]
>  ieee80211_scan_work+0x19f/0x2a0 [mac80211]
>  process_one_work+0x1dd/0x3a0
>  worker_thread+0x49/0x330
>  ? rescuer_thread+0x3a0/0x3a0
>  kthread+0x134/0x150
>  ? kthread_create_worker_on_cpu+0x70/0x70
>  ret_from_fork+0x22/0x30
> ================================================================================
> 
> The statement where an array is being overrun is shown in the following snippet:
> 
> 	if (rate <= DESC_RATE11M)
> 		tx_power = pwr_idx_2g->cck_base[group];
> 	else
> ====>		tx_power = pwr_idx_2g->bw40_base[group];
> 
> The associated arrays are defined in main.h as follows:
> 
> struct rtw_2g_txpwr_idx {
> 	u8 cck_base[6];
> 	u8 bw40_base[5];
> 	struct rtw_2g_1s_pwr_idx_diff ht_1s_diff;
> 	struct rtw_2g_ns_pwr_idx_diff ht_2s_diff;
> 	struct rtw_2g_ns_pwr_idx_diff ht_3s_diff;
> 	struct rtw_2g_ns_pwr_idx_diff ht_4s_diff;
> };
> 
> The problem arises because the value of group is 5 for channel 14. The trivial
> increase in the dimension of bw40_base fails as this struct must match the layout of
> efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set
> the group for channel 14 to 4 if rate <= DESC_RATE11M.
> 
> This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
> 
> Fixes: fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
> Reported-by: Богдан Пилипенко <bogdan.pylypenko107@gmail.com>
> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
> Cc: Stable <stable@vger.kernel.org>

Patch applied to wireless-drivers-next.git, thanks.

2ff25985ea9c rtw88: Fix array overrun in rtw_get_tx_power_params()

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20210401192717.28927-1-Larry.Finger@lwfinger.net/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches