From: Lorenzo Bianconi <lorenzo@kernel.org>
To: greearb@candelatech.com
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH v2] wireless: mt76: mt7921: Fix use-after-free in fw features query.
Date: Wed, 8 Mar 2023 19:59:28 +0100 [thread overview]
Message-ID: <ZAjbEOd++IfaGLZn@lore-desk> (raw)
In-Reply-To: <20230308175832.2394061-1-greearb@candelatech.com>
[-- Attachment #1: Type: text/plain, Size: 2227 bytes --]
> From: Ben Greear <greearb@candelatech.com>
>
> Stop referencing 'features' memory after release_firmware is called.
>
> Fixes this crash:
>
> RIP: 0010:mt7921_check_offload_capability+0x17d
> mt7921_pci_probe+0xca/0x4b0
> ...
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
> ---
> drivers/net/wireless/mediatek/mt76/mt7921/init.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
> index 38d6563cb12f..d2bb8d02ce0a 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
> @@ -165,12 +165,12 @@ mt7921_mac_init_band(struct mt7921_dev *dev, u8 band)
>
> u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
> {
> - struct mt7921_fw_features *features = NULL;
> const struct mt76_connac2_fw_trailer *hdr;
> struct mt7921_realease_info *rel_info;
> const struct firmware *fw;
> int ret, i, offset = 0;
> const u8 *data, *end;
> + u8 offload_caps = 0;
>
> ret = request_firmware(&fw, fw_wm, dev);
> if (ret)
> @@ -197,12 +197,19 @@ u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
> data += sizeof(*rel_info);
> end = data + le16_to_cpu(rel_info->len);
>
> + /* TODO: This needs better sanity checking I think.
> + * Likely a corrupted firmware with bad rel_info->len, for instance,
> + * would blow this up.
> + */
> while (data < end) {
> rel_info = (struct mt7921_realease_info *)data;
> data += sizeof(*rel_info);
>
> if (rel_info->tag == MT7921_FW_TAG_FEATURE) {
> + struct mt7921_fw_features *features;
> +
> features = (struct mt7921_fw_features *)data;
> + offload_caps = features->data;
> break;
> }
>
> @@ -211,7 +218,7 @@ u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
>
> release_firmware(fw);
>
> - return features ? features->data : 0;
> + return offload_caps;
> }
> EXPORT_SYMBOL_GPL(mt7921_check_offload_capability);
>
> --
> 2.39.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2023-03-08 18:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-08 17:58 [PATCH v2] wireless: mt76: mt7921: Fix use-after-free in fw features query greearb
2023-03-08 18:59 ` Lorenzo Bianconi [this message]
2023-03-13 16:38 ` Lorenzo Bianconi
2023-03-21 9:58 ` Lorenzo Bianconi
2023-03-21 13:20 ` Ben Greear
2023-03-21 13:28 ` Lorenzo Bianconi
2023-03-21 14:01 ` Ben Greear
2023-03-21 14:37 ` Lorenzo Bianconi
2023-03-21 15:00 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAjbEOd++IfaGLZn@lore-desk \
--to=lorenzo@kernel.org \
--cc=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.