From: "Arend van Spriel" <arend@broadcom.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Brett Rudley <brudley@broadcom.com>,
Roland Vossen <rvossen@broadcom.com>,
"Franky (Zhenhui) Lin" <frankyl@broadcom.com>,
Kan Yan <kanyan@broadcom.com>,
"John W. Linville" <linville@tuxdriver.com>,
Hante Meuleman <meuleman@broadcom.com>,
linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] brcmfmac: use kcalloc() to prevent integer overflow
Date: Wed, 26 Sep 2012 09:41:36 +0000 [thread overview]
Message-ID: <5062CDD0.2000008@broadcom.com> (raw)
In-Reply-To: <20120926073143.GO13767@mwanda>
On 09/26/2012 09:31 AM, Dan Carpenter wrote:
> Speaking of integer overflows, I had a couple other concerns in this
> file.
>
> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_enq_event()
> 4144 total_len = sizeof(struct brcmf_cfg80211_event_q);
> 4145 if (data)
> 4146 data_len = be32_to_cpu(msg->datalen);
> 4147 else
> 4148 data_len = 0;
> 4149 total_len += data_len;
> ^^^^^^^^^^^^^^^^^^^^^
> This looks very suspicious like a remote exploitable overflow.
Hi Dan,
The event message is generated in our device so I believe there is
little room for exploits.
> 4150 e = kzalloc(total_len, GFP_ATOMIC);
>
> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_run_escan()
> 882 if (request != NULL) {
> 883 /* Allocate space for populating ssids in struct */
> 884 params_size += sizeof(u32) * ((request->n_channels + 1) / 2);
> 885
> 886 /* Allocate space for populating ssids in struct */
> 887 params_size += sizeof(struct brcmf_ssid) * request->n_ssids;
> 888 }
> 889
> 890 params = kzalloc(params_size, GFP_KERNEL);
>
> I didn't track back where request comes from so I don't know if
> that's a problem or not. I figured you would know better than I
> would.
This request comes from user-space, ie. nl80211. cfg80211 does make sure
that amount channels and ssids are sane (see nl80211_trigger_scan() in
net/wireless/nl80211.c).
Gr. AvS
WARNING: multiple messages have this Message-ID (diff)
From: "Arend van Spriel" <arend@broadcom.com>
To: "Dan Carpenter" <dan.carpenter@oracle.com>
Cc: "Brett Rudley" <brudley@broadcom.com>,
"Roland Vossen" <rvossen@broadcom.com>,
"Franky (Zhenhui) Lin" <frankyl@broadcom.com>,
"Kan Yan" <kanyan@broadcom.com>,
"John W. Linville" <linville@tuxdriver.com>,
"Hante Meuleman" <meuleman@broadcom.com>,
linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] brcmfmac: use kcalloc() to prevent integer overflow
Date: Wed, 26 Sep 2012 11:41:36 +0200 [thread overview]
Message-ID: <5062CDD0.2000008@broadcom.com> (raw)
In-Reply-To: <20120926073143.GO13767@mwanda>
On 09/26/2012 09:31 AM, Dan Carpenter wrote:
> Speaking of integer overflows, I had a couple other concerns in this
> file.
>
> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_enq_event()
> 4144 total_len = sizeof(struct brcmf_cfg80211_event_q);
> 4145 if (data)
> 4146 data_len = be32_to_cpu(msg->datalen);
> 4147 else
> 4148 data_len = 0;
> 4149 total_len += data_len;
> ^^^^^^^^^^^^^^^^^^^^^
> This looks very suspicious like a remote exploitable overflow.
Hi Dan,
The event message is generated in our device so I believe there is
little room for exploits.
> 4150 e = kzalloc(total_len, GFP_ATOMIC);
>
> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_run_escan()
> 882 if (request != NULL) {
> 883 /* Allocate space for populating ssids in struct */
> 884 params_size += sizeof(u32) * ((request->n_channels + 1) / 2);
> 885
> 886 /* Allocate space for populating ssids in struct */
> 887 params_size += sizeof(struct brcmf_ssid) * request->n_ssids;
> 888 }
> 889
> 890 params = kzalloc(params_size, GFP_KERNEL);
>
> I didn't track back where request comes from so I don't know if
> that's a problem or not. I figured you would know better than I
> would.
This request comes from user-space, ie. nl80211. cfg80211 does make sure
that amount channels and ssids are sane (see nl80211_trigger_scan() in
net/wireless/nl80211.c).
Gr. AvS
next prev parent reply other threads:[~2012-09-26 9:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-26 7:21 [patch] brcmfmac: use kcalloc() to prevent integer overflow Dan Carpenter
2012-09-26 7:21 ` Dan Carpenter
2012-09-26 7:31 ` Dan Carpenter
2012-09-26 7:31 ` Dan Carpenter
2012-09-26 9:41 ` Arend van Spriel [this message]
2012-09-26 9:41 ` Arend van Spriel
2012-09-27 10:49 ` Arend van Spriel
2012-09-27 10:49 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5062CDD0.2000008@broadcom.com \
--to=arend@broadcom.com \
--cc=brcm80211-dev-list@broadcom.com \
--cc=brudley@broadcom.com \
--cc=dan.carpenter@oracle.com \
--cc=frankyl@broadcom.com \
--cc=kanyan@broadcom.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=meuleman@broadcom.com \
--cc=rvossen@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.