From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@kernel.org>,
Amitkumar Karwar <akarwar@marvell.com>,
Xinming Hu <huxm@marvell.com>, Dan Williams <dcbw@redhat.com>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
Date: Fri, 25 Aug 2023 14:10:44 -0700 [thread overview]
Message-ID: <202308251410.8DAA6AC5E@keescook> (raw)
In-Reply-To: <d4f8780527d551552ee96f17a0229e02e1c200d1.1692931954.git.gustavoars@kernel.org>
On Thu, Aug 24, 2023 at 09:10:45PM -0600, Gustavo A. R. Silva wrote:
> Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before
> decoding data from `event_buf`.
>
> This prevents any malicious or buggy firmware from overflowing
> `event_buf` through large values for `tlv_len` and `tlv_bitmap_len`.
>
> Suggested-by: Dan Williams <dcbw@redhat.com>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> Changes in v2:
> - Fix format specifier: %ld -> %zu
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202308240844.leyoOwdG-lkp@intel.com/
>
> - Update warning messages to explicitly mention that TLV size is
> greater than tlv_buf_len.
>
> v1:
> - Link: https://lore.kernel.org/linux-hardening/587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org/
>
> .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
> index 735aac52bdc4..10690e82358b 100644
> --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
> +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
> @@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
> while (tlv_buf_left > sizeof(*tlv_rxba)) {
> tlv_type = le16_to_cpu(tlv_rxba->header.type);
> tlv_len = le16_to_cpu(tlv_rxba->header.len);
> + if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) {
> + mwifiex_dbg(priv->adapter, WARN,
> + "TLV size (%zu) overflows event_buf buf_left=%d\n",
> + size_add(sizeof(tlv_rxba->header), tlv_len),
> + tlv_buf_left);
With the suggested change to make this a warning and not dbg:
Reviewed-by: Kees Cook <keescook@chromium.org>
Thanks!
-Kees
> + return;
> + }
> +
> if (tlv_type != TLV_TYPE_RXBA_SYNC) {
> mwifiex_dbg(priv->adapter, ERROR,
> "Wrong TLV id=0x%x\n", tlv_type);
> @@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
>
> tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num);
> tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len);
> + if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) {
> + mwifiex_dbg(priv->adapter, WARN,
> + "TLV size (%zu) overflows event_buf buf_left=%d\n",
> + size_add(sizeof(*tlv_rxba), tlv_bitmap_len),
> + tlv_buf_left);
> + return;
> + }
> +
> mwifiex_dbg(priv->adapter, INFO,
> "%pM tid=%d seq_num=%d bitmap_len=%d\n",
> tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
> --
> 2.34.1
>
--
Kees Cook
next prev parent reply other threads:[~2023-08-25 21:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 3:03 [PATCH v2 0/3] wifi: mwifiex: Fix tlv_buf_left calculation and replace one-element array Gustavo A. R. Silva
2023-08-25 3:06 ` [PATCH v2 1/3] wifi: mwifiex: Fix tlv_buf_left calculation Gustavo A. R. Silva
2023-08-25 21:09 ` Kees Cook
2023-09-04 17:16 ` Kalle Valo
2023-09-04 18:17 ` Gustavo A. R. Silva
2023-08-25 3:07 ` [PATCH v2 2/3] wifi: mwifiex: Replace one-element array with flexible-array member in struct mwifiex_ie_types_rxba_sync Gustavo A. R. Silva
2023-08-25 21:09 ` Kees Cook
2023-08-25 3:10 ` [PATCH v2 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Gustavo A. R. Silva
2023-08-25 21:10 ` Kees Cook [this message]
2023-08-25 23:38 ` Brian Norris
2023-08-25 23:54 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308251410.8DAA6AC5E@keescook \
--to=keescook@chromium.org \
--cc=akarwar@marvell.com \
--cc=briannorris@chromium.org \
--cc=dcbw@redhat.com \
--cc=gustavoars@kernel.org \
--cc=huxm@marvell.com \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).