From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org,
Gregory Greenman <gregory.greenman@intel.com>,
Luca Coelho <luciano.coelho@intel.com>
Subject: [PATCH 14/16] iwlwifi: mvm: fix possible out-of-bounds read when accessing lq_info
Date: Sat, 20 Jul 2019 13:25:43 +0300 [thread overview]
Message-ID: <20190720102545.5952-15-luca@coelho.fi> (raw)
In-Reply-To: <20190720102545.5952-1-luca@coelho.fi>
From: Gregory Greenman <gregory.greenman@intel.com>
lq_info is an arary of size 2, active_tbl index is u8.
When accessing lq_info[1 - active_tbl], theoretically it's possible
that the access will be made to a negative index value.
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 28 +++++++++++++++------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
index 3fa50b1955bb..d3f04acfbacb 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
@@ -1352,6 +1352,18 @@ static void rs_set_expected_tpt_table(struct iwl_lq_sta *lq_sta,
tbl->expected_tpt = rs_get_expected_tpt_table(lq_sta, column, rate->bw);
}
+/* rs uses two tables, one is active and the second is for searching better
+ * configuration. This function, according to the index of the currently
+ * active table returns the search table, which is located at the
+ * index complementary to 1 according to the active table (active = 1,
+ * search = 0 or active = 0, search = 1).
+ * Since lq_info is an arary of size 2, make sure index cannot be out of bounds.
+ */
+static inline u8 rs_search_tbl(u8 active_tbl)
+{
+ return (active_tbl ^ 1) & 1;
+}
+
static s32 rs_get_best_rate(struct iwl_mvm *mvm,
struct iwl_lq_sta *lq_sta,
struct iwl_scale_tbl_info *tbl, /* "search" */
@@ -1699,9 +1711,9 @@ static int rs_switch_to_column(struct iwl_mvm *mvm,
struct ieee80211_sta *sta,
enum rs_column col_id)
{
- struct iwl_scale_tbl_info *tbl = &(lq_sta->lq_info[lq_sta->active_tbl]);
+ struct iwl_scale_tbl_info *tbl = &lq_sta->lq_info[lq_sta->active_tbl];
struct iwl_scale_tbl_info *search_tbl =
- &(lq_sta->lq_info[(1 - lq_sta->active_tbl)]);
+ &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
struct rs_rate *rate = &search_tbl->rate;
const struct rs_tx_column *column = &rs_tx_columns[col_id];
const struct rs_tx_column *curr_column = &rs_tx_columns[tbl->column];
@@ -2109,7 +2121,7 @@ static void rs_rate_scale_perform(struct iwl_mvm *mvm,
if (!lq_sta->search_better_tbl)
active_tbl = lq_sta->active_tbl;
else
- active_tbl = 1 - lq_sta->active_tbl;
+ active_tbl = rs_search_tbl(lq_sta->active_tbl);
tbl = &(lq_sta->lq_info[active_tbl]);
rate = &tbl->rate;
@@ -2333,7 +2345,7 @@ static void rs_rate_scale_perform(struct iwl_mvm *mvm,
/* If new "search" mode was selected, set up in uCode table */
if (lq_sta->search_better_tbl) {
/* Access the "search" table, clear its history. */
- tbl = &(lq_sta->lq_info[(1 - lq_sta->active_tbl)]);
+ tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
rs_rate_scale_clear_tbl_windows(mvm, tbl);
/* Use new "search" start rate */
@@ -2676,7 +2688,7 @@ static void rs_initialize_lq(struct iwl_mvm *mvm,
if (!lq_sta->search_better_tbl)
active_tbl = lq_sta->active_tbl;
else
- active_tbl = 1 - lq_sta->active_tbl;
+ active_tbl = rs_search_tbl(lq_sta->active_tbl);
tbl = &(lq_sta->lq_info[active_tbl]);
rate = &tbl->rate;
@@ -3172,9 +3184,9 @@ static void __iwl_mvm_rs_tx_status(struct iwl_mvm *mvm,
if (!lq_sta->search_better_tbl) {
curr_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
- other_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
+ other_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
} else {
- curr_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
+ curr_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
other_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
}
@@ -3183,7 +3195,7 @@ static void __iwl_mvm_rs_tx_status(struct iwl_mvm *mvm,
"Neither active nor search matches tx rate\n");
tmp_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
rs_dump_rate(mvm, &tmp_tbl->rate, "ACTIVE");
- tmp_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
+ tmp_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
rs_dump_rate(mvm, &tmp_tbl->rate, "SEARCH");
rs_dump_rate(mvm, &lq_rate, "ACTUAL");
--
2.20.1
next prev parent reply other threads:[~2019-07-20 10:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-20 10:25 [PATCH 00/16] iwlwifi: fixes intended for 5.3 2019-07-20 Luca Coelho
2019-07-20 10:25 ` [PATCH 01/16] iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 Luca Coelho
[not found] ` <20190720122332.E229E2186A@mail.kernel.org>
2019-08-05 9:45 ` Luca Coelho
2019-07-20 10:25 ` [PATCH 02/16] iwlwifi: mvm: prepare the ground for more RSS notifications Luca Coelho
2019-07-20 10:25 ` [PATCH 03/16] iwlwifi: mvm: add a new RSS sync notification for NSSN sync Luca Coelho
2019-07-20 10:25 ` [PATCH 04/16] iwlwiif: mvm: refactor iwl_mvm_notify_rx_queue Luca Coelho
2019-07-20 10:25 ` [PATCH 05/16] iwlwifi: mvm: add a loose synchronization of the NSSN across Rx queues Luca Coelho
2019-07-20 10:25 ` [PATCH 06/16] iwlwifi: mvm: add a wrapper around rs_tx_status to handle locks Luca Coelho
2019-07-20 10:25 ` [PATCH 07/16] iwlwifi: dbg_ini: move iwl_dbg_tlv_load_bin out of debug override ifdef Luca Coelho
2019-07-20 10:25 ` [PATCH 08/16] iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Luca Coelho
2019-07-20 10:25 ` [PATCH 09/16] iwlwifi: fix locking in delayed GTK setting Luca Coelho
2019-07-20 10:25 ` [PATCH 10/16] iwlwifi: mvm: fix comparison of u32 variable with less than zero Luca Coelho
2019-07-20 10:25 ` [PATCH 11/16] iwlwifi: mvm: send LQ command always ASYNC Luca Coelho
2019-07-20 10:25 ` [PATCH 12/16] iwlwifi: mvm: replace RS mutex with a spin_lock Luca Coelho
2019-07-20 10:25 ` [PATCH 13/16] iwlwifi: mvm: fix frame drop from the reordering buffer Luca Coelho
2019-07-20 10:25 ` Luca Coelho [this message]
2019-07-20 10:25 ` [PATCH 15/16] iwlwifi: add 3 new IDs for the 9000 series (iwl9260_2ac_160_cfg) Luca Coelho
2019-07-20 10:25 ` [PATCH 16/16] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Luca Coelho
2019-08-01 14:07 ` Jonas Hahnfeld
2019-08-22 6:44 ` Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190720102545.5952-15-luca@coelho.fi \
--to=luca@coelho.fi \
--cc=gregory.greenman@intel.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox