From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Alexei Safin <a.safin@rosa.ru>
Cc: Kalle Valo <kvalo@kernel.org>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: Re: [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate()
Date: Sun, 27 Apr 2025 08:39:00 +0200 [thread overview]
Message-ID: <20250427063900.GA48509@wp.pl> (raw)
In-Reply-To: <20250424185244.3562-1-a.safin@rosa.ru>
Hi
On Thu, Apr 24, 2025 at 09:52:44PM +0300, Alexei Safin wrote:
> Prevent out-of-bounds access in il4965_tx_cmd_build_rate() by rejecting
> rate_idx values greater than or equal to RATE_COUNT_LEGACY.
>
> Use a correct bounds check to avoid accessing il_rates[] with
> an invalid index. The previous comparison allowed rate_idx to become
> equal to RATE_COUNT_LEGACY, which exceeds the array limit.
Thanks for the patch, however I think it's not correct.
The definitions are:
enum {
RATE_1M_IDX = 0,
...
RATE_54M_INDEX,
RATE_60M_INDEX,
RATE_COUNT
RATE_COUNT_LEGACY = RATE_COUNT - 1, /* Excluding 60M */
}
extern const struct il_rate_info il_rates[RATE_COUNT];
> Replace the check 'rate_idx > RATE_COUNT_LEGACY' with
> 'rate_idx >= RATE_COUNT_LEGACY' to ensure memory safety.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> Fixes: 7ac9a364c172 ("iwlegacy: move under intel directory")
> Signed-off-by: Alexei Safin <a.safin@rosa.ru>
> ---
> v2: change reciepent
> drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> index 78dee8ccfebf..f60d9b9798c1 100644
> --- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> +++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> @@ -1572,7 +1572,7 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
> */
> rate_idx = info->control.rates[0].idx;
> if ((info->control.rates[0].flags & IEEE80211_TX_RC_MCS) || rate_idx < 0
> - || rate_idx > RATE_COUNT_LEGACY)
> + || rate_idx >= RATE_COUNT_LEGACY)
> rate_idx = rate_lowest_index(&il->bands[info->band], sta);
.. so looks the check is fine already and changing it will induce a bug
for RATE_54M_INDEX.
Regards
Stanislaw
> /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
> if (info->band == NL80211_BAND_5GHZ)
> --
> 2.39.5 (Apple Git-154)
>
next prev parent reply other threads:[~2025-04-27 7:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 18:52 [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate() Alexei Safin
2025-04-25 5:59 ` Ping-Ke Shih
2025-04-27 6:39 ` Stanislaw Gruszka [this message]
2025-04-29 17:15 ` Fedor Pchelkin
2025-04-29 21:40 ` Stanislaw Gruszka
2025-05-17 7:40 ` [PATCH] wifi: iwlegacy: Check rate_idx range after addition Stanislaw Gruszka
2025-05-17 12:21 ` Fedor Pchelkin
2025-05-17 14:53 ` Stanislaw Gruszka
2025-05-25 14:45 ` [PATCH v2] " Stanislaw Gruszka
2025-05-27 19:17 ` Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250427063900.GA48509@wp.pl \
--to=stf_xl@wp.pl \
--cc=a.safin@rosa.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.