From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@kernel.org>,
Amitkumar Karwar <akarwar@marvell.com>,
Xinming Hu <huxm@marvell.com>, Dan Williams <dcbw@redhat.com>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2 1/3] wifi: mwifiex: Fix tlv_buf_left calculation
Date: Fri, 25 Aug 2023 14:09:28 -0700 [thread overview]
Message-ID: <202308251409.D62880A8@keescook> (raw)
In-Reply-To: <06668edd68e7a26bbfeebd1201ae077a2a7a8bce.1692931954.git.gustavoars@kernel.org>
On Thu, Aug 24, 2023 at 09:06:51PM -0600, Gustavo A. R. Silva wrote:
> In a TLV encoding scheme, the Length part represents the length after
> the header containing the values for type and length. In this case,
> `tlv_len` should be:
>
> tlv_len == (sizeof(*tlv_rxba) - 1) - sizeof(tlv_rxba->header) + tlv_bitmap_len
>
> Notice that the `- 1` accounts for the one-element array `bitmap`, which
> 1-byte size is already included in `sizeof(*tlv_rxba)`.
>
> So, if the above is correct, there is a double-counting of some members
> in `struct mwifiex_ie_types_rxba_sync`, when `tlv_buf_left` and `tmp`
> are calculated:
>
> 968 tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len);
> 969 tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba);
>
> in specific, members:
>
> drivers/net/wireless/marvell/mwifiex/fw.h:777
> 777 u8 mac[ETH_ALEN];
> 778 u8 tid;
> 779 u8 reserved;
> 780 __le16 seq_num;
> 781 __le16 bitmap_len;
>
> This is clearly wrong, and affects the subsequent decoding of data in
> `event_buf` through `tlv_rxba`:
>
> 970 tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
>
> Fix this by using `sizeof(tlv_rxba->header)` instead of `sizeof(*tlv_rxba)`
> in the calculation of `tlv_buf_left` and `tmp`.
>
> This results in the following binary differences before/after changes:
>
> | drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
> | @@ -4698,11 +4698,11 @@
> | drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:968
> | tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
> | - 1da7: lea -0x11(%rbx),%edx
> | + 1da7: lea -0x4(%rbx),%edx
> | 1daa: movzwl %bp,%eax
> | drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:969
> | tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len;
> | - 1dad: lea 0x11(%r15,%rbp,1),%r15
> | + 1dad: lea 0x4(%r15,%rbp,1),%r15
>
> The above reflects the desired change: avoid counting 13 too many bytes;
> which is the total size of the double-counted members in
> `struct mwifiex_ie_types_rxba_sync`:
>
> $ pahole -C mwifiex_ie_types_rxba_sync drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
> struct mwifiex_ie_types_rxba_sync {
> struct mwifiex_ie_types_header header; /* 0 4 */
>
> |-----------------------------------------------------------------------
> | u8 mac[6]; /* 4 6 */ |
> | u8 tid; /* 10 1 */ |
> | u8 reserved; /* 11 1 */ |
> | __le16 seq_num; /* 12 2 */ |
> | __le16 bitmap_len; /* 14 2 */ |
> | u8 bitmap[1]; /* 16 1 */ |
> |----------------------------------------------------------------------|
> | 13 bytes|
> -----------
>
> /* size: 17, cachelines: 1, members: 7 */
> /* last cacheline: 17 bytes */
> } __attribute__((__packed__));
>
> Fixes: 99ffe72cdae4 ("mwifiex: process rxba_sync event")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Excellent commit log!
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
next prev parent reply other threads:[~2023-08-25 21:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 3:03 [PATCH v2 0/3] wifi: mwifiex: Fix tlv_buf_left calculation and replace one-element array Gustavo A. R. Silva
2023-08-25 3:06 ` [PATCH v2 1/3] wifi: mwifiex: Fix tlv_buf_left calculation Gustavo A. R. Silva
2023-08-25 21:09 ` Kees Cook [this message]
2023-09-04 17:16 ` Kalle Valo
2023-09-04 18:17 ` Gustavo A. R. Silva
2023-08-25 3:07 ` [PATCH v2 2/3] wifi: mwifiex: Replace one-element array with flexible-array member in struct mwifiex_ie_types_rxba_sync Gustavo A. R. Silva
2023-08-25 21:09 ` Kees Cook
2023-08-25 3:10 ` [PATCH v2 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Gustavo A. R. Silva
2023-08-25 21:10 ` Kees Cook
2023-08-25 23:38 ` Brian Norris
2023-08-25 23:54 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308251409.D62880A8@keescook \
--to=keescook@chromium.org \
--cc=akarwar@marvell.com \
--cc=briannorris@chromium.org \
--cc=dcbw@redhat.com \
--cc=gustavoars@kernel.org \
--cc=huxm@marvell.com \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.