From: Larry Finger <Larry.Finger@lwfinger.net>
To: tim.gardner@canonical.com
Cc: Tim Gardner <rtg.canonical@gmail.com>,
Ben Hutchings <bhutchings@solarflare.com>,
Chaoming Li <chaoming_li@realsil.com.cn>,
"John W. Linville" <linville@tuxdriver.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rtlwifi: rtl8192se firmware load can overflow target buffer
Date: Thu, 09 Feb 2012 10:43:52 -0600 [thread overview]
Message-ID: <4F33F7C8.2090105@lwfinger.net> (raw)
In-Reply-To: <4F33DAFC.1000502@canonical.com>
On 02/09/2012 08:41 AM, Tim Gardner wrote:
>
> I agree with you about the semantics of rtlpriv->max_fw_size, but I don't agree
> that the size check is correct. While rtlpriv->max_fw_size has been set to
> sizeof(struct rt_firmware), that value is _way_ bigger then the size of the
> target buffer.
>
> sizeof(struct rt_firmware) == 64000+64000+164000 plus some change
>
> The target buffer size is only 164000 bytes.
>
> I've attached v2 of the patch that is simpler and may serve to better illustrate
> my point. By the way, Ben Hutchings was right about the original patch having an
> off by one error. This version also clears rtlpriv->max_fw_size if the size
> check fails. Probably should have mentioned that in the commit log.
I agree that Ben is right.
This thread forced me to go back to square one in analyzing the situation. For
the other drivers in the rtlwifi family, the firmware file contains an image
that is directly stuffed into the device. For the RTL8192SE devices, it is more
complicated. The structure is described in struct rt_firmware. At the moment,
the arrays there are grossly oversized. They could be as follows:
struct rt_firmware {
struct fw_hdr *pfwheader;
enum fw_status fwstatus;
u16 firmwareversion;
u8 fw_imem[RTL8190_MAX_IMEM_CODE_SIZE];
u8 fw_emem[RTL8190_MAX_DMEM_CODE_SIZE];
u32 fw_imem_len;
u32 fw_emem_len;
u8 sz_fw_tmpbuffer[RTL8190_MAX_FIRMWARE_SIZE];
u32 sz_fw_tmpbufferlen;
u16 cmdpacket_fragthresold;
};
with
RTL8190_MAX_IMEM_CODE_SIZE = 54000 (current fw is 51,208),
RTL8190_MAX_DMEM_CODE_SIZE = 40000 (current fw is 37,520), and
RTL8190_MAX_FIRMWARE_SIZE = 90000 (it holds the raw firmware image, which is
currently 88,856).
Ultimately, all three arrays should be eliminated. Now that we are using
asynchronous loading, the kernel should keep its cached data and not copy it
into the driver's private storage when a pointer will suffice. All the drivers
need this change, but that can wait for now.
I will ACK the patch if you resumit it with
#define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE 90000
Larry
next prev parent reply other threads:[~2012-02-09 16:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-08 21:08 [PATCH] rtlwifi: rtl8192se firmware load can overflow target buffer Tim Gardner
2012-02-08 21:45 ` Ben Hutchings
2012-02-09 0:55 ` Larry Finger
2012-02-09 2:30 ` Larry Finger
2012-02-09 14:41 ` Tim Gardner
2012-02-09 16:43 ` Larry Finger [this message]
2012-02-09 17:25 ` [PATCH v3] " Tim Gardner
2012-02-10 0:21 ` Larry Finger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F33F7C8.2090105@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=bhutchings@solarflare.com \
--cc=chaoming_li@realsil.com.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=netdev@vger.kernel.org \
--cc=rtg.canonical@gmail.com \
--cc=tim.gardner@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).