[PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[pip-izony]

From: Seungjin Bae <eeodqql09@gmail.com>

The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.

If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.

This patch adds length checks for both rtl8187 and rtl8187b descriptor
headers before attempting to access them, dropping the packet cleanly
if the check fails.

Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index 0c5c66401daa..eff42acc11a0 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -344,6 +344,10 @@ static void rtl8187_rx_cb(struct urb *urb)
 	}
 
 	if (!priv->is_rtl8187b) {
+		if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
+			dev_kfree_skb_irq(skb);
+			return;
+		}
 		struct rtl8187_rx_hdr *hdr =
 			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		flags = le32_to_cpu(hdr->flags);
@@ -355,6 +359,10 @@ static void rtl8187_rx_cb(struct urb *urb)
 		rx_status.antenna = (hdr->signal >> 7) & 1;
 		rx_status.mactime = le64_to_cpu(hdr->mac_time);
 	} else {
+		if (skb->len < sizeof(struct rtl8187b_rx_hdr)) {
+			dev_kfree_skb_irq(skb);
+			return;
+		}
 		struct rtl8187b_rx_hdr *hdr =
 			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		/* The Realtek datasheet for the RTL8187B shows that the RX
-- 
2.43.0

Re: [PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[Ping-Ke Shih]

pip-izony <eeodqql09@gmail.com> wrote:

> 
> From: Seungjin Bae <eeodqql09@gmail.com>
> 
> The rtl8187_rx_cb() calculates the rx descriptor header address
> by subtracting its size from the skb tail pointer.
> However, it does not validate if the received packet
> (skb->len from urb->actual_length) is large enough to contain this
> header.
> 
> If a truncated packet is received, this will lead to a buffer
> underflow, reading memory before the start of the skb data area,
> and causing a kernel panic.
> 
> This patch adds length checks for both rtl8187 and rtl8187b descriptor
> headers before attempting to access them, dropping the packet cleanly
> if the check fails.
> 
> Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> 
> diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> index 0c5c66401daa..eff42acc11a0 100644
> --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> @@ -344,6 +344,10 @@ static void rtl8187_rx_cb(struct urb *urb)
>  	}
>  
>  	if (!priv->is_rtl8187b) {
> +		if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
> +			dev_kfree_skb_irq(skb);
> +			return;
> +		}

Though compiler doesn't warn something if statements before declarations,
we still don't suggest this style.

A way is 

	struct rtl8187_rx_hdr *hdr;

	if (skb->len < sizeof(struct rtl8187_rx_hdr)) { 
		...
		return;
	}

	hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));

Or, check before if branches

	(declare at top of this function)
	int skb_len_limit = !priv->is_rtl8187b ? sizeof(struct rtl8187_rx_hdr) :
						 sizeof(struct rtl8187b_rx_hdr);

	if (skb->len < skb_len_limit) {
		...
		return;
	}


>  		struct rtl8187_rx_hdr *hdr =
>  			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
>  		flags = le32_to_cpu(hdr->flags);
> @@ -355,6 +359,10 @@ static void rtl8187_rx_cb(struct urb *urb)
>  		rx_status.antenna = (hdr->signal >> 7) & 1;
>  		rx_status.mactime = le64_to_cpu(hdr->mac_time);
>  	} else {
> +		if (skb->len < sizeof(struct rtl8187b_rx_hdr)) {
> +			dev_kfree_skb_irq(skb);
> +			return;
> +		}
>  		struct rtl8187b_rx_hdr *hdr =
>  			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
>  		/* The Realtek datasheet for the RTL8187B shows that the RX

[PATCH v2] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[pip-izony]

From: Seungjin Bae <eeodqql09@gmail.com>

The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.

If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.

This patch adds length checks for both rtl8187 and rtl8187b descriptor
headers before attempting to access them, dropping the packet cleanly
if the check fails.

Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 v1 -> v2: Addressing feedback from Ping-Ke Shih

 .../net/wireless/realtek/rtl818x/rtl8187/dev.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index 0c5c66401daa..4d0b408b4e33 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -344,8 +344,13 @@ static void rtl8187_rx_cb(struct urb *urb)
 	}
 
 	if (!priv->is_rtl8187b) {
-		struct rtl8187_rx_hdr *hdr =
-			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+		struct rtl8187_rx_hdr *hdr;
+
+		if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
+			dev_kfree_skb_irq(skb);
+			return;
+		}
+		hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		flags = le32_to_cpu(hdr->flags);
 		/* As with the RTL8187B below, the AGC is used to calculate
 		 * signal strength. In this case, the scaling
@@ -355,8 +360,13 @@ static void rtl8187_rx_cb(struct urb *urb)
 		rx_status.antenna = (hdr->signal >> 7) & 1;
 		rx_status.mactime = le64_to_cpu(hdr->mac_time);
 	} else {
-		struct rtl8187b_rx_hdr *hdr =
-			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+		struct rtl8187b_rx_hdr *hdr;
+
+		if (skb->len < sizeof(struct rtl8187b_rx_hdr)) {
+			dev_kfree_skb_irq(skb);
+			return;
+		}
+		hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		/* The Realtek datasheet for the RTL8187B shows that the RX
 		 * header contains the following quantities: signal quality,
 		 * RSSI, AGC, the received power in dB, and the measured SNR.
-- 
2.43.0

Re: [PATCH v2] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[Markus Elfring]

…
> This patch adds length checks for …

See also once more:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.18-rc5#n94

Regards,
Markus

Re: [PATCH v2] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[Markus Elfring]

…
> +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> @@ -344,8 +344,13 @@ static void rtl8187_rx_cb(struct urb *urb)
>  	}
>  
>  	if (!priv->is_rtl8187b) {
> -		struct rtl8187_rx_hdr *hdr =
> -			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
> +		struct rtl8187_rx_hdr *hdr;
> +
> +		if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
> +			dev_kfree_skb_irq(skb);
> +			return;
> +		}
…

You may avoid duplicate exception handling code by using a corresponding goto statement.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?h=v6.18-rc5#n526

Regards,
Markus

[PATCH v3] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[pip-izony]

From: Seungjin Bae <eeodqql09@gmail.com>

The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.

If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.

Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.

Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 v1 -> v2: Addressing feedback from Ping-Ke Shih
 v2 -> v3: Address coding style feedback from Markus Elfring

 .../wireless/realtek/rtl818x/rtl8187/dev.c    | 27 +++++++++++++------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index 0c5c66401daa..7aa2da0cd63c 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -338,14 +338,16 @@ static void rtl8187_rx_cb(struct urb *urb)
 	spin_unlock_irqrestore(&priv->rx_queue.lock, f);
 	skb_put(skb, urb->actual_length);
 
-	if (unlikely(urb->status)) {
-		dev_kfree_skb_irq(skb);
-		return;
-	}
+	if (unlikely(urb->status))
+		goto free_skb;
 
 	if (!priv->is_rtl8187b) {
-		struct rtl8187_rx_hdr *hdr =
-			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+		struct rtl8187_rx_hdr *hdr;
+
+		if (skb->len < sizeof(struct rtl8187_rx_hdr))
+			goto free_skb;
+
+		hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		flags = le32_to_cpu(hdr->flags);
 		/* As with the RTL8187B below, the AGC is used to calculate
 		 * signal strength. In this case, the scaling
@@ -355,8 +357,12 @@ static void rtl8187_rx_cb(struct urb *urb)
 		rx_status.antenna = (hdr->signal >> 7) & 1;
 		rx_status.mactime = le64_to_cpu(hdr->mac_time);
 	} else {
-		struct rtl8187b_rx_hdr *hdr =
-			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+		struct rtl8187b_rx_hdr *hdr;
+
+		if (skb->len < sizeof(struct rtl8187b_rx_hdr))
+			goto free_skb;
+
+		hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
 		/* The Realtek datasheet for the RTL8187B shows that the RX
 		 * header contains the following quantities: signal quality,
 		 * RSSI, AGC, the received power in dB, and the measured SNR.
@@ -409,6 +415,11 @@ static void rtl8187_rx_cb(struct urb *urb)
 		skb_unlink(skb, &priv->rx_queue);
 		dev_kfree_skb_irq(skb);
 	}
+	return;
+
+free_skb:
+	dev_kfree_skb_irq(skb);
+	return;
 }
 
 static int rtl8187_init_urbs(struct ieee80211_hw *dev)
-- 
2.43.0

Re: [PATCH v3] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

[Ping-Ke Shih]

pip-izony <eeodqql09@gmail.com> wrote:

> From: Seungjin Bae <eeodqql09@gmail.com>
> 
> The rtl8187_rx_cb() calculates the rx descriptor header address
> by subtracting its size from the skb tail pointer.
> However, it does not validate if the received packet
> (skb->len from urb->actual_length) is large enough to contain this
> header.
> 
> If a truncated packet is received, this will lead to a buffer
> underflow, reading memory before the start of the skb data area,
> and causing a kernel panic.
> 
> Add length checks for both rtl8187 and rtl8187b descriptor headers
> before attempting to access them, dropping the packet cleanly if the
> check fails.
> 
> Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>

1 patch(es) applied to rtw-next branch of rtw.git, thanks.

b647d2574e45 wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

---
https://github.com/pkshih/rtw.git