From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
Luca Coelho <luciano.coelho@intel.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 111/130] iwlwifi: mvm: validate firmware sync response size
Date: Tue, 22 Dec 2020 21:17:54 -0500 [thread overview]
Message-ID: <20201223021813.2791612-111-sashal@kernel.org> (raw)
In-Reply-To: <20201223021813.2791612-1-sashal@kernel.org>
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit b570e5b0592a56c5990ae3aa0fdb93dd9b545d43 ]
We send some data to the firmware and expect to get it back,
but we shouldn't really trust the firmware on this. Check the
size of all the data we send down to avoid using bad or just
uninitialized data when the firmware doesn't respond right.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201209231352.a5a8173f16c7.I4fa68bb2b1c7dcc52ddd381c4042722d27c4a34d@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index d0bfcee59a3a7..545a84e08816e 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -763,10 +763,18 @@ void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct napi_struct *napi,
struct iwl_rx_packet *pkt = rxb_addr(rxb);
struct iwl_rxq_sync_notification *notif;
struct iwl_mvm_internal_rxq_notif *internal_notif;
+ u32 len = iwl_rx_packet_payload_len(pkt);
notif = (void *)pkt->data;
internal_notif = (void *)notif->payload;
+ if (WARN_ONCE(len < sizeof(*notif) + sizeof(*internal_notif),
+ "invalid notification size %d (%d)",
+ len, (int)(sizeof(*notif) + sizeof(*internal_notif))))
+ return;
+ /* remove only the firmware header, we want all of our payload below */
+ len -= sizeof(*notif);
+
if (internal_notif->sync &&
mvm->queue_sync_cookie != internal_notif->cookie) {
WARN_ONCE(1, "Received expired RX queue sync message\n");
@@ -775,11 +783,22 @@ void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct napi_struct *napi,
switch (internal_notif->type) {
case IWL_MVM_RXQ_EMPTY:
+ WARN_ONCE(len != sizeof(*internal_notif),
+ "invalid empty notification size %d (%d)",
+ len, (int)sizeof(*internal_notif));
break;
case IWL_MVM_RXQ_NOTIF_DEL_BA:
+ if (WARN_ONCE(len != sizeof(struct iwl_mvm_rss_sync_notif),
+ "invalid delba notification size %d (%d)",
+ len, (int)sizeof(struct iwl_mvm_rss_sync_notif)))
+ break;
iwl_mvm_del_ba(mvm, queue, (void *)internal_notif->data);
break;
case IWL_MVM_RXQ_NSSN_SYNC:
+ if (WARN_ONCE(len != sizeof(struct iwl_mvm_rss_sync_notif),
+ "invalid nssn sync notification size %d (%d)",
+ len, (int)sizeof(struct iwl_mvm_rss_sync_notif)))
+ break;
iwl_mvm_nssn_sync(mvm, napi, queue,
(void *)internal_notif->data);
break;
--
2.27.0
next prev parent reply other threads:[~2020-12-23 2:57 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201223021813.2791612-1-sashal@kernel.org>
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 008/130] staging: wimax: depends on NET Sasha Levin
2020-12-23 7:29 ` Greg Kroah-Hartman
2020-12-23 14:15 ` Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 015/130] mac80211: don't overwrite QoS TID of injected frames Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 023/130] rsi: Fix TX EAPOL packet handling against iwlwifi AP Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 027/130] Bluetooth: hidp: use correct wait queue when removing ctrl_wait Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 029/130] net: skb_vlan_untag(): don't reset transport offset if set by GRO layer Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 031/130] mwifiex: pcie: skip cancel_work_sync() on reset failure path Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 034/130] net: ipconfig: Avoid spurious blank lines in boot log Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 036/130] r8169: use READ_ONCE in rtl_tx_slots_avail Sasha Levin
2020-12-23 2:16 ` [PATCH AUTOSEL 5.4 052/130] net: dsa: avoid potential use-after-free error Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 058/130] rxrpc: Don't leak the service-side session key to userspace Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 060/130] rtw88: coex: change the decode method from firmware Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 067/130] brcmsmac: ampdu: Check BA window size before checking block ack Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 068/130] i40e: report correct VF link speed when link state is set to enable Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 069/130] hv_netvsc: Validate number of allocated sub-channels Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 075/130] net/lapb: fix t1 timer handling for LAPB_STATE_0 Sasha Levin
2020-12-23 17:01 ` Xie He
2020-12-24 9:49 ` Xie He
2020-12-27 21:27 ` Sasha Levin
2021-01-06 7:33 ` Martin Schiller
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 081/130] bridge: switchdev: Notify about VLAN protocol changes Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 094/130] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 097/130] rtlwifi: rtl8192de: fix ofdm power compensation Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 106/130] iwlwifi: avoid endless HW errors at assert time Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 107/130] iwlwifi: validate MPDU length against notification length Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 108/130] iwlwifi: pcie: validate RX descriptor length Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 109/130] iwlwifi: mvm: fix 22000 series driver NMI Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 110/130] iwlwifi: trans: consider firmware dead after errors Sasha Levin
2020-12-23 2:17 ` Sasha Levin [this message]
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 112/130] iwlwifi: add an extra firmware state in the transport Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 113/130] iwlwifi: mvm: disconnect if channel switch delay is too long Sasha Levin
2020-12-23 2:17 ` [PATCH AUTOSEL 5.4 116/130] cfg80211: Update TSF and TSF BSSID for multi BSS Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 117/130] nl80211: always accept scan request with the duration set Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 118/130] cfg80211: Save the regulatory domain when setting custom regulatory Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 119/130] mac80211: disallow band-switch during CSA Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 120/130] mac80211: support Rx timestamp calculation for all preamble types Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 121/130] mac80211: use bitfield helpers for BA session action frames Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 122/130] mac80211: ignore country element TX power on 6 GHz Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 123/130] mac80211: Fix calculation of minimal channel width Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 124/130] mac80211: don't filter out beacons once we start CSA Sasha Levin
2020-12-23 2:18 ` [PATCH AUTOSEL 5.4 125/130] mac80211: Update rate control on channel change Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201223021813.2791612-111-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).