Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2489975pxb; Mon, 11 Jan 2021 10:55:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxga7q4sEVCLB+9/SCBk61/FJu4EG6I3Lu8x/69Hn6Jrkh6Xfl8rZ9BgvnaXtcWXa8dYoMS X-Received: by 2002:aa7:c44b:: with SMTP id n11mr570978edr.216.1610391344386; Mon, 11 Jan 2021 10:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610391344; cv=none; d=google.com; s=arc-20160816; b=nWdHWqEuITSWsG34ECzwWs71BRxRF2ej/FNbqvazfow+DUS4I7Gelmr3X5jvFqWBt2 dNJ/b9kGmfVDVGWLKoedgFr4d8EMh9718D1/vcXAMdpfdug50gio5ntKcD2vcAlBlzl5 Pg3eWsC7mwCqmnvCr9fNm8UJnmStNhRXGdqGIjIHH0rexRmqwM8PRAb+FTdDPZfiTxCQ YJHFomr/gnz44QsdILdovVFxarEEPrp1eFfHdXsZEPSH2dlnk7y6vCu2AOwcYmNkMxLV dzh9oNji2g31A7yrnDsy+0Mj+Te33RFtZ1EPp1ct0nfagUyyzAtr6BfpDwnNb1dT3Iaj iHHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Rvew6cqVQniXIqwsUnCnTwK4rV3/PNHAJceO8utJLLk=; b=rRMfsfdPewFJPIfG2L12B5N1lNn8tq3hfDW63d7vL5GhFGv71MGdjESnut5o0rJ5ZN qS7Eqa8XRYqrV1sHRvOKrnItloxPD9nSuo6eaJqj1+b4EAS2ddy0j/7vFis070/tWHL7 TuTp/hc3Ejzo47X4+w+TbKLf8c6npHG1a4CnEGD9uv7SaYw1AYv+G+CXA0EBy8R1Ztw1 4bPRFPyGrqfMHwuaPiqzPrr5kPs3Y6zDsSbsZ2SKZiogONtb38Zi8QnwEUoGHZJ3iNJO I1hFnqAibVqI1xHG6/IkjZMdUTnyUdw9ptZ56RAA6AVsqbvUSyIujZi6TmNnZrSx+Io3 CdoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ue034u5m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v19si246533edr.303.2021.01.11.10.55.20; Mon, 11 Jan 2021 10:55:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ue034u5m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390520AbhAKSwx (ORCPT + 99 others); Mon, 11 Jan 2021 13:52:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727242AbhAKSwx (ORCPT ); Mon, 11 Jan 2021 13:52:53 -0500 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03E31C0617A3 for ; Mon, 11 Jan 2021 10:52:13 -0800 (PST) Received: by mail-ot1-x32b.google.com with SMTP id d20so705800otl.3 for ; Mon, 11 Jan 2021 10:52:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rvew6cqVQniXIqwsUnCnTwK4rV3/PNHAJceO8utJLLk=; b=Ue034u5m1alXCz0yam8z4ML3f8BUq3NE+BNDAj5vPgNhkLiQj5PMokmGL0HUVkQS89 5hYptgGnoHI6paU47QAPGm/H46VmW6+d3bRYuA8Cm/0eCTdfEsoieI5HKuldyk2F4ZLF YETtpLHMvzqbpu0SNYoUWN1qpBj4L7DhRVwJo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rvew6cqVQniXIqwsUnCnTwK4rV3/PNHAJceO8utJLLk=; b=KkUZU/nrwXXlcSzpkaU/t716FvLFYRd3UPQgW7zfncup4YW2KL1n3n85Ot4Ii3kfYi sAQ/3VdFtnq36GwK1yWZL6bsirK0/hwKoJEyIcjhr0DG+91+K1xCm/bwDpza2dnUTaMj dcXVDzrngWGMO4pVwvXhP17rZlfGezrcSfUtiRiIq4lyZT7c+ha8dJH92eV92Q3uzTCL nNXJukdSGUS2CQ80NmzrdKD4TG6euBvVt9uN0Fx7rCPejKpHF/2MI80f5nB31eVrYY+H iobiziLuJhUgLQlC43rZcjLPa8BXXYPsA7+H3nI/3WvJE6QDThkP5TLVlxh9hNn4ZOMZ vFdg== X-Gm-Message-State: AOAM531b6mcJ7oTS6J+J4m4g6OY6FdRalsvsLEAoolWqwtTgTfyW7qLL cP9HsNqX007ctnzQUxK/FURNo+iigE7Ebw== X-Received: by 2002:a9d:6847:: with SMTP id c7mr389321oto.134.1610391130987; Mon, 11 Jan 2021 10:52:10 -0800 (PST) Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com. [209.85.167.171]) by smtp.gmail.com with ESMTPSA id b188sm122455oif.49.2021.01.11.10.52.09 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Jan 2021 10:52:09 -0800 (PST) Received: by mail-oi1-f171.google.com with SMTP id l200so371587oig.9 for ; Mon, 11 Jan 2021 10:52:09 -0800 (PST) X-Received: by 2002:aca:af4d:: with SMTP id y74mr130054oie.105.1610391128693; Mon, 11 Jan 2021 10:52:08 -0800 (PST) MIME-Version: 1.0 References: <20201208124523.8169-1-ruc_zhangxiaohui@163.com> <20210109160844.4ca73bf1@gmx.net> In-Reply-To: <20210109160844.4ca73bf1@gmx.net> From: Brian Norris Date: Mon, 11 Jan 2021 10:51:57 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_config_scan To: Peter Seiderer Cc: Xiaohui Zhang , Amitkumar Karwar , Ganapathi Bhat , Xinming Hu , Kalle Valo , "David S. Miller" , Jakub Kicinski , linux-wireless , "" , Linux Kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (Note: this is version 1; there's a later version posted, which does not have a v2 tag...) https://lore.kernel.org/linux-wireless/20201208150951.35866-1-ruc_zhangxiaohui@163.com/ On Sat, Jan 9, 2021 at 7:11 AM Peter Seiderer wrote: > On Tue, 8 Dec 2020 20:45:23 +0800, Xiaohui Zhang wrote: > > From: Zhang Xiaohui > > mwifiex_config_scan() calls memcpy() without checking > > the destination size may trigger a buffer overflower, > > which a local user could use to cause denial of service > > or the execution of arbitrary code. > > Fix it by putting the length check before calling memcpy(). > > > > Signed-off-by: Zhang Xiaohui > > --- > > drivers/net/wireless/marvell/mwifiex/scan.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c > > index c2a685f63..b1d90678f 100644 > > --- a/drivers/net/wireless/marvell/mwifiex/scan.c > > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c > > @@ -930,6 +930,8 @@ mwifiex_config_scan(struct mwifiex_private *priv, > > "DIRECT-", 7)) > > wildcard_ssid_tlv->max_ssid_length = 0xfe; > > > > + if (ssid_len > 1) > > + ssid_len = 1; > > Why do your believe the available size is only '1'? A SSID is expected > to be of size IEEE80211_MAX_SSID_LE/32 and the wildcard_ssid_tlv pointer > is casted from tlv_pos (some lines above) which is a pointer/index into > scan_cfg_out->tlv_buf... I pointed out this discrepancy already, taking a slightly different approach: https://lore.kernel.org/linux-wireless/CA+ASDXPVu5S0Vm0aOcyqLN090u3BwA_nV358YwkpXuU223Ug9g@mail.gmail.com/ > And the define (line 44) indicates there should be enough space for a SSID: > > 42 /* Memory needed to store a max number/size WildCard SSID TLV for a firmware > 43 scan */ > 44 #define WILDCARD_SSID_TLV_MAX_SIZE \ > 45 (MWIFIEX_MAX_SSID_LIST_LENGTH * \ > 46 (sizeof(struct mwifiex_ie_types_wildcard_ssid_params) \ > 47 + IEEE80211_MAX_SSID_LEN)) Ah, good catch. So this may not be a true overflow issue at all, even if it's confusing and bad code. The "problem" is that this piece of the struct is variable-length, and unless we're going to dynamically resize/reallocate the whole buffer, we have to assume the initial allocation was large enough (and per your note, it is). > For sure something to improve here instead of using a confusing 'u8 ssid[1]' > in struct mwifiex_ie_types_wildcard_ssid_params... Yep. Brian