Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1468834pxv; Fri, 16 Jul 2021 10:00:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5/lyhYkBpdsAgHQnPQJwKSogI7sVqXXmH/HlIecrHP2ZzAglir5f6ZpNxLiU9nSNWYMwr X-Received: by 2002:a92:3f08:: with SMTP id m8mr7046845ila.104.1626454848513; Fri, 16 Jul 2021 10:00:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626454848; cv=none; d=google.com; s=arc-20160816; b=fS2fg+L4IrcLoivOU/4rVmy9PmsR0xLJPpcGfB5uQVoJg9oGFJnDqC0IWnOn9JZG4s ZlcMQgfxS3aFItHgiOKL4prtuZgCypc0cnnGNR4DXPLWBjMZVnuEVK/PWqZzjj9vKFs6 F2wvNdrUaLSVk0ieaMMGTm+yyp4Yi004A0MvjJ5m7oV0iceb41O9d4yn8pxZrHBHQBW+ EAcnuppqxxWmcLcWc1ZUBHlq1d9ohayDdwtkVIILoW8E7zzG/Y+zAaAcvePIMkFxc786 VJqLHnT0RWdceJtFJu/qVxXTQCxdfS/Flt39r948gtKo51dU7mui9Fn1rNJHRevNfu4l ituA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zF6RFynJImZVZ9iauRKVrADk1+eSALtVWbPASLHhoSw=; b=yWZhc0n45UMgkNwVLeP/JvWRFwHDro707hBG9Ou+n+WySro75Pm1XMAECwjLo9b0SI xF3ycCu8yxAtwRYdOa4CkX0eAx+/hrlTLJXOwDrdOcew+MARuXRtdCw/07M6vhReuW1U 6e094xh1A8YBlldWTBDaLy+i0wLRt2rOoc3WVv6eGgh6NZPTce8AyxgvHf2sgEIvj1Oq UeuDEjj6w+BUxCAM8EgO2yLC5q351AtMnGXre0X+0xnsRlZQ7xvLyJOACete7ofnvAEp BfON316kAInDDSAMZr640pD0OYQGhfobUZEqYEWl4gxqCenDv+QnTVrN4PXfTD27N3V1 R2qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="CYfZq/00"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x12si554162ilm.5.2021.07.16.10.00.34; Fri, 16 Jul 2021 10:00:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="CYfZq/00"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230523AbhGPRBY (ORCPT + 99 others); Fri, 16 Jul 2021 13:01:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230211AbhGPRBS (ORCPT ); Fri, 16 Jul 2021 13:01:18 -0400 Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CDC5C061762 for ; Fri, 16 Jul 2021 09:58:21 -0700 (PDT) Received: by mail-oo1-xc2a.google.com with SMTP id y17-20020a4ae7110000b0290262f3c22a63so2586878oou.9 for ; Fri, 16 Jul 2021 09:58:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zF6RFynJImZVZ9iauRKVrADk1+eSALtVWbPASLHhoSw=; b=CYfZq/00WLjjWY1y5nRSBmHv2gLKV/HPnda9tFP2NnVUU0Wmm+FGSaRVjx7ugR8Wu8 gVqOAn49/fcLFt2j5zQor/oTx+Jc8rdVjMNfSyuGOUUPuFt7FC/Ok1UjIuCgrVE4R1wQ g97bIBeGzSYqzNZwtdBTzPpYJlV55FMfIxS5Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zF6RFynJImZVZ9iauRKVrADk1+eSALtVWbPASLHhoSw=; b=OCx1njsYrS5/FPkl25VgRT6e3IxSdxe3BDPbkv23nX19kdVyLNBZ1m/WVxedPFsKjr dR+mOUMIzK5djnm0oTFQDv+IWDwsN6eLbl+IrP6sNR/CRlPPLM0BLoU3K6Y+FU+RgbAD FpCx06CMz1j/nLsgpaQR9NLW06I8Acvom3qMzMIfX/kRV9SjtFRrPT6qAjV5CeP6CBrb 2Rm2qglLv4iCtExaV4cBNbIql3LrmD9f/B6mN0EeWAZeV+ZG7kOXoIFXYPW3Gx4jZsb5 78MBggTqDabiVrCDwNUOP8SPHlNeka7zgja0XXX/boBFju3FM2qPscCbs6Yil5Np7iMe dGOA== X-Gm-Message-State: AOAM531uyLO7PQTQvaBORUoC77Weeqia9kpSJ54bkMLzWJ52kRTjVrJj Uzb2XVMOEHUtUug6jAhmVbCSO4SSlCxK1Q== X-Received: by 2002:a4a:91cb:: with SMTP id e11mr8343583ooh.53.1626454700315; Fri, 16 Jul 2021 09:58:20 -0700 (PDT) Received: from mail-oi1-f178.google.com (mail-oi1-f178.google.com. [209.85.167.178]) by smtp.gmail.com with ESMTPSA id y5sm1359943otu.27.2021.07.16.09.58.18 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Jul 2021 09:58:18 -0700 (PDT) Received: by mail-oi1-f178.google.com with SMTP id y66so2194944oie.7 for ; Fri, 16 Jul 2021 09:58:18 -0700 (PDT) X-Received: by 2002:aca:304f:: with SMTP id w76mr11034037oiw.77.1626454698098; Fri, 16 Jul 2021 09:58:18 -0700 (PDT) MIME-Version: 1.0 References: <20210716155311.5570-1-len.baker@gmx.com> In-Reply-To: <20210716155311.5570-1-len.baker@gmx.com> From: Brian Norris Date: Fri, 16 Jul 2021 09:58:07 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] rtw88: Fix out-of-bounds write To: Len Baker Cc: Yan-Hsuan Chuang , Kalle Valo , "David S. Miller" , Jakub Kicinski , Stanislaw Gruszka , Pkshih , linux-wireless , "" , Linux Kernel , stable Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 16, 2021 at 8:54 AM Len Baker wrote: > > In the rtw_pci_init_rx_ring function the "if (len > TRX_BD_IDX_MASK)" > statement guarantees that len is less than or equal to GENMASK(11, 0) or > in other words that len is less than or equal to 4095. However the > rx_ring->buf has a size of RTK_MAX_RX_DESC_NUM (defined as 512). This > way it is possible an out-of-bounds write in the for statement due to > the i variable can exceed the rx_ring->buff size. > > However, this overflow never happens due to the rtw_pci_init_rx_ring is > only ever called with a fixed constant of RTK_MAX_RX_DESC_NUM. But it is > better to be defensive in this case and add a new check to avoid > overflows if this function is called in a future with a value greater > than 512. > > Cc: stable@vger.kernel.org This kinda seems excessive, considering we absolutely know this is not currently a bug. But then, LWN nicely highlighted this thread, which reminds me that even without the Cc stable, this is likely to unnecessarily get picked up: https://lwn.net/ml/linux-kernel/YO0zXVX9Bx9QZCTs@kroah.com/ And I guess silencing Coverity is a desirable goal in many cases, even if Coverity is being a bit trigger-happy. So, *shrug*. > Addresses-Coverity-ID: 1461515 ("Out-of-bounds write") > Fixes: e3037485c68ec ("rtw88: new Realtek 802.11ac driver") > Signed-off-by: Len Baker > --- > Changelog v1 -> v2 > - Remove the macro ARRAY_SIZE from the for loop (Pkshih, Brian Norris). > - Add a new check for the len variable (Pkshih, Brian Norris). Reviewed-by: Brian Norris Thanks.