From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8D1DFC4167D for ; Tue, 7 Nov 2023 12:07:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4c9pTNmpcdV6ISk+v8GrxVZbqvhP0/xaMjRsCZI4ZLY=; b=w5vLo9PDiACeQQ agzApTLPUbqLO4jc/bWlRtdbCsLITrdNzk8EVj4CZ8R0a8VeRhxQH7fxrTjSVBaL8+Vf0Viq+m4i9 mdRFg4zFTKlClHI0JJS8bP857DqRPlWCYfWzrF9dLVDGxIWkqBoQdFdtfY8S2u0tRQzQCfW2Lw36R SeRKKCsCqeNfGkM1Yx+fOL8GxFQHqOfwoEF4cwvMG0U831VpineiPyi8QHq3Yxd5JmNaXoE5Oji3E jmlrC/7WoYsh5YrCND5dj6CYlHoDk3xOnOxE2Is6IfYMsB8eIds3Gi2iKkhD1aiDkz40AAfxS5kpp jhOKXca3c5JqiPgnD0Dg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1r0Krh-001POW-0u for ath12k@archiver.kernel.org; Tue, 07 Nov 2023 12:07:29 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1r0Krd-001PMd-2g for ath12k@lists.infradead.org; Tue, 07 Nov 2023 12:07:27 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 27A9ECE0B89; Tue, 7 Nov 2023 12:07:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 72E18C433C7; Tue, 7 Nov 2023 12:07:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699358843; bh=01j6EKsgCax7l7Fd8OSsdrmplpwNAU3rMOg92D5wsp8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jmR0CEXlCuh99CrQfAqHccjtlQGB4j+qy8j6A6JYwHCwl1Us3aVXqPxIO1zGwXdX3 AagIPCzqYpezXhzeujYpUcjSLS7o6L6ur+F1tshJdTHeS3Rm63aLeZm7e8YodAbU9K W5YYRYU/IGfX0dwHbsxHqI/NzbaZ5lB8HgSrDLzJQdyh4PcBmlxFlZGE108inHYBUg xmx0CYpGRbR1HkVXAcJTsXdfBRX7nzdypLZAknFwPKeIV1z2h9HlTi/mZ5hLFUCyLk 5SWMjBBL+wp20D4h+pCL1e3uBcHp52kZxH3YBJDESfAxlR6JPN4lOMKNmE3st3aYT4 1vv/p8s7GJG5Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Baochen Qiang , Jeff Johnson , Kalle Valo , Sasha Levin , kvalo@kernel.org, ath12k@lists.infradead.org, linux-wireless@vger.kernel.org Subject: [PATCH AUTOSEL 6.6 08/31] wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() Date: Tue, 7 Nov 2023 07:05:55 -0500 Message-ID: <20231107120704.3756327-8-sashal@kernel.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231107120704.3756327-1-sashal@kernel.org> References: <20231107120704.3756327-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231107_040726_050279_15A9C6B5 X-CRM114-Status: GOOD ( 10.95 ) X-BeenThere: ath12k@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ath12k" Errors-To: ath12k-bounces+ath12k=archiver.kernel.org@lists.infradead.org From: Baochen Qiang [ Upstream commit 1bc44a505a229bb1dd4957e11aa594edeea3690e ] len is extracted from HTT message and could be an unexpected value in case errors happen, so add validation before using to avoid possible out-of-bound read in the following message iteration and parsing. The same issue also applies to ppdu_info->ppdu_stats.common.num_users, so validate it before using too. These are found during code review. Compile test only. Signed-off-by: Baochen Qiang Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230901015602.45112-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath12k/dp_rx.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index 100390fdc735f..42f9cfede12bf 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -1555,6 +1555,13 @@ static int ath12k_htt_pull_ppdu_stats(struct ath12k_base *ab, msg = (struct ath12k_htt_ppdu_stats_msg *)skb->data; len = le32_get_bits(msg->info, HTT_T2H_PPDU_STATS_INFO_PAYLOAD_SIZE); + if (len > (skb->len - struct_size(msg, data, 0))) { + ath12k_warn(ab, + "HTT PPDU STATS event has unexpected payload size %u, should be smaller than %u\n", + len, skb->len); + return -EINVAL; + } + pdev_id = le32_get_bits(msg->info, HTT_T2H_PPDU_STATS_INFO_PDEV_ID); ppdu_id = le32_to_cpu(msg->ppdu_id); @@ -1583,6 +1590,16 @@ static int ath12k_htt_pull_ppdu_stats(struct ath12k_base *ab, goto exit; } + if (ppdu_info->ppdu_stats.common.num_users >= HTT_PPDU_STATS_MAX_USERS) { + spin_unlock_bh(&ar->data_lock); + ath12k_warn(ab, + "HTT PPDU STATS event has unexpected num_users %u, should be smaller than %u\n", + ppdu_info->ppdu_stats.common.num_users, + HTT_PPDU_STATS_MAX_USERS); + ret = -EINVAL; + goto exit; + } + /* back up data rate tlv for all peers */ if (ppdu_info->frame_type == HTT_STATS_PPDU_FTYPE_DATA && (ppdu_info->tlv_bitmap & (1 << HTT_PPDU_STATS_TAG_USR_COMMON)) && -- 2.42.0 -- ath12k mailing list ath12k@lists.infradead.org https://lists.infradead.org/mailman/listinfo/ath12k