From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Wen Gong <quic_wgong@quicinc.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, quic_jjohnson@quicinc.com,
ath12k@lists.infradead.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.4 06/11] wifi: ath12k: Fix buffer overflow when scanning with extraie
Date: Tue, 22 Aug 2023 07:35:48 -0400 [thread overview]
Message-ID: <20230822113553.3551206-6-sashal@kernel.org> (raw)
In-Reply-To: <20230822113553.3551206-1-sashal@kernel.org>
From: Wen Gong <quic_wgong@quicinc.com>
[ Upstream commit 06f2ab86a5b6ed55f013258de4be9319841853ea ]
If cfg80211 is providing extraie's for a scanning process then ath12k will
copy that over to the firmware. The extraie.len is a 32 bit value in struct
element_info and describes the amount of bytes for the vendor information
elements.
The problem is the allocation of the buffer. It has to align the TLV
sections by 4 bytes. But the code was using an u8 to store the newly
calculated length of this section (with alignment). And the new
calculated length was then used to allocate the skbuff. But the actual
code to copy in the data is using the extraie.len and not the calculated
"aligned" length.
The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled
was 264 bytes during tests with a wifi card. But it only allocated 8
bytes (264 bytes % 256) for it. As consequence, the code to memcpy the
extraie into the skb was then just overwriting data after skb->end. Things
like shinfo were therefore corrupted. This could usually be seen by a crash
in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus
address).
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Link: https://lore.kernel.org/r/20230809081241.32765-1-quic_wgong@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 7ae0bb78b2b53..1e65e35b5f3a6 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -2144,8 +2144,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
struct wmi_tlv *tlv;
void *ptr;
int i, ret, len;
- u32 *tmp_ptr;
- u8 extraie_len_with_pad = 0;
+ u32 *tmp_ptr, extraie_len_with_pad = 0;
struct ath12k_wmi_hint_short_ssid_arg *s_ssid = NULL;
struct ath12k_wmi_hint_bssid_arg *hint_bssid = NULL;
--
2.40.1
next prev parent reply other threads:[~2023-08-22 11:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 11:35 [PATCH AUTOSEL 6.4 01/11] idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 02/11] platform/x86/amd/pmf: Fix unsigned comparison with less than zero Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 03/11] scsi: lpfc: Remove reftag check in DIF paths Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 04/11] scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 05/11] net: hns3: restore user pause configure when disable autoneg Sasha Levin
2023-08-22 11:35 ` Sasha Levin [this message]
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 07/11] drm/amd/pm: skip the RLC stop when S0i3 suspend for SMU v13.0.4/11 Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 08/11] drm/amdgpu: Match against exact bootloader status Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 09/11] drm/amdkfd: ignore crat by default Sasha Levin
2023-08-22 15:41 ` Deucher, Alexander
2023-08-23 18:03 ` Sasha Levin
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 10/11] drm/amdkfd: disable IOMMUv2 support for KV/CZ Sasha Levin
2023-08-22 15:39 ` Deucher, Alexander
2023-08-24 14:24 ` Alex Deucher
2023-08-22 11:35 ` [PATCH AUTOSEL 6.4 11/11] drm/amdkfd: disable IOMMUv2 support for Raven Sasha Levin
2023-08-22 15:39 ` Deucher, Alexander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230822113553.3551206-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath12k@lists.infradead.org \
--cc=johannes.berg@intel.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_jjohnson@quicinc.com \
--cc=quic_wgong@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox