LinuxLists.cc - [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5

2021-08-31 08:21:36

Subject: [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
out of bounds write on the next line.

Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
index 0e97d5e6c644..6e3a63a5a75c 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
@@ -360,11 +360,11 @@ static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw,
if (sta) {
rsc = data->rsc->ucast_rsc;
} else {
- if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids)))
+ if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids)))
return;
data->gtk_ids[data->gtks] = key->keyidx;
rsc = data->rsc->mcast_rsc[data->gtks % 2];
- if (WARN_ON(key->keyidx >
+ if (WARN_ON(key->keyidx >=
ARRAY_SIZE(data->rsc->mcast_key_id_map)))
return;
data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2;
--
2.20.1

2021-09-16 17:11:58

by Kalle Valo

[permalink] [raw]

Subject: Re: [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

Dan Carpenter <[email protected]> writes:

> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
>
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <[email protected]>

I think I should take both patches to v5.15. Luca, do you agree? Ack?

I assigned these to me on patchwork.

--
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

2021-09-17 12:38:51

by Luciano Coelho

[permalink] [raw]

Subject: Re: [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

On Tue, 2021-08-31 at 11:18 +0300, Dan Carpenter wrote:
> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
>
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> index 0e97d5e6c644..6e3a63a5a75c 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> @@ -360,11 +360,11 @@ static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw,
> if (sta) {
> rsc = data->rsc->ucast_rsc;
> } else {
> - if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids)))
> + if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids)))
> return;
> data->gtk_ids[data->gtks] = key->keyidx;
> rsc = data->rsc->mcast_rsc[data->gtks % 2];
> - if (WARN_ON(key->keyidx >
> + if (WARN_ON(key->keyidx >=
> ARRAY_SIZE(data->rsc->mcast_key_id_map)))
> return;
> data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2;

Thanks!

Acked-by: Luca Coelho <[email protected]>

--
Cheers,
Luca.

2021-09-17 16:26:32

by Luciano Coelho

[permalink] [raw]

Subject: Re: [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

On Thu, 2021-09-16 at 20:05 +0300, Kalle Valo wrote:
> Dan Carpenter <[email protected]> writes:
>
> > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> > out of bounds write on the next line.
> >
> > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> > Signed-off-by: Dan Carpenter <[email protected]>
>
> I think I should take both patches to v5.15. Luca, do you agree? Ack?
>
> I assigned these to me on patchwork.

Yes, please take them, thanks!

--
Cheers,
Luca.

2021-09-19 17:33:03

by Kalle Valo

[permalink] [raw]

Subject: Re: [PATCH 1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

Dan Carpenter <[email protected]> wrote:

> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
>
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <[email protected]>
> Acked-by: Luca Coelho <[email protected]>

2 patches applied to wireless-drivers.git, thanks.

27a221f433b7 iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()
b6a46b4f6e4b iwlwifi: mvm: d3: missing unlock in iwl_mvm_wowlan_program_keys()

--
https://patchwork.kernel.org/project/linux-wireless/patch/20210831081802.GA9846@kili/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches