LinuxLists.cc - [PATCH 3.1] iwlagn: fix stack corruption

2011-09-12 19:08:37

Subject: [PATCH 3.1] iwlagn: fix stack corruption

From: Johannes Berg <[email protected]>

Alexander reported a strange crash in iwlagn that
Meenakshi and Wey couldn't reproduce. I just ran
into the same issue and tracked it down to stack
corruption. This fixes it.

The problem was introduced in
commit 4b8b99b6e650d0527f3a123744b7459976581d14
Author: Wey-Yi Guy <[email protected]>
Date: Fri Jul 8 14:29:48 2011 -0700

iwlagn: radio sensor offset in le16 format

Cc: Wey-Yi Guy <[email protected]>
Cc: Meenakshi Venkataraman <[email protected]>
Reported-by: Alexander Diewald <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
---
Wey, please fix your recent commit in our internal tree
that does the v2 offset calibration -- it has the same
bug twice.

drivers/net/wireless/iwlwifi/iwl-agn-ucode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:34.000000000 +0200
+++ b/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:43.000000000 +0200
@@ -167,7 +167,7 @@ static int iwlagn_set_temperature_offset

memset(&cmd, 0, sizeof(cmd));
iwl_set_calib_hdr(&cmd.hdr, IWL_PHY_CALIBRATE_TEMP_OFFSET_CMD);
- memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(offset_calib));
+ memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(*offset_calib));
if (!(cmd.radio_sensor_offset))
cmd.radio_sensor_offset = DEFAULT_RADIO_SENSOR_OFFSET;

2011-09-12 19:25:09

by Wey-Yi Guy

[permalink] [raw]

Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption

On Mon, 2011-09-12 at 12:14 -0700, Daniel Halperin wrote:
> On Mon, Sep 12, 2011 at 12:08 PM, Johannes Berg
> <[email protected]> wrote:
> >
> > --- a/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:34.000000000 +0200
> > +++ b/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:43.000000000 +0200
> > @@ -167,7 +167,7 @@ static int iwlagn_set_temperature_offset
> >
> > memset(&cmd, 0, sizeof(cmd));
> > iwl_set_calib_hdr(&cmd.hdr, IWL_PHY_CALIBRATE_TEMP_OFFSET_CMD);
> > - memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(offset_calib));
> > + memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(*offset_calib));
> > if (!(cmd.radio_sensor_offset))
> > cmd.radio_sensor_offset = DEFAULT_RADIO_SENSOR_OFFSET;
>
> Nice catch!
>
> This kinda bug seems ideal for Julia Lawall's stuff to catch, doesn't it?
>
> Right: memcpy(addr, obj, sizeof(*obj))
> Wrong: memcpy(addr, obj, sizeof(obj))
>
Thank you very much for catch my mistake

Wey

2011-09-12 19:20:33

by Daniel Halperin

[permalink] [raw]

Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption

On Mon, Sep 12, 2011 at 12:08 PM, Johannes Berg
<[email protected]> wrote:
>
> --- a/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c ? ? ?2011-09-12 21:01:34.000000000 +0200
> +++ b/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c ? ? ?2011-09-12 21:01:43.000000000 +0200
> @@ -167,7 +167,7 @@ static int iwlagn_set_temperature_offset
>
> ? ? ? ?memset(&cmd, 0, sizeof(cmd));
> ? ? ? ?iwl_set_calib_hdr(&cmd.hdr, IWL_PHY_CALIBRATE_TEMP_OFFSET_CMD);
> - ? ? ? memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(offset_calib));
> + ? ? ? memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(*offset_calib));
> ? ? ? ?if (!(cmd.radio_sensor_offset))
> ? ? ? ? ? ? ? ?cmd.radio_sensor_offset = DEFAULT_RADIO_SENSOR_OFFSET;

Nice catch!

This kinda bug seems ideal for Julia Lawall's stuff to catch, doesn't it?

Right: memcpy(addr, obj, sizeof(*obj))
Wrong: memcpy(addr, obj, sizeof(obj))

Dan

2011-09-13 07:18:42

by Johannes Berg

[permalink] [raw]

Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption

2011-09-12 19:56:24

by Alexander Diewald

[permalink] [raw]

Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption

SGkgSm9oYW5uZXMsDQoNCkkndmUganVzdCB0cmllZCB0aGUgZml4IGFuZCBpdCB3b3Jrcy4gSSBz
d2l0Y2hlZCBvZmYgYWxsIHRoZSBkZWJ1Z2dpbmcgb3B0aW9ucyBpbiB0aGUgaXdsd2lmaSBkcml2
ZXIgYW5kIHRoZSB3aXJlbGVzcyBzdGFjayBhbmQgdHVybmVkIG9mZiB0aGUgZnJhbWUgcG9pbnRl
cnMgZm9yIHRlc3RpbmcuDQpUaGFuayB5b3UgdmVyeSBtdWNoLiANCg0KSnVzdCBzb21lIGZpbmFs
IG5vdGVzOg0KVGhhbmsgeW91IFdleSwgZm9yIGV2ZW4gZm9yd2FyZGluZyB0aGlzIGlzc3VlIHdo
ZW4geW91IHdlcmUgb24gdmFjYXRpb24hDQpBbHNvLCBzcGVjaWFsIFRoYW5rcyB0byB5b3UsIE1l
ZW5ha3NoaSwgZm9yIHRha2luZyB0aGF0IG11Y2ggdGltZS4gSSBhbHNvIGxlYXJuZWQgYSBsb3Qg
cmVnYXJkaW5nIGtlcm5lbCBkZWJ1Z2dpbmcgKG5ldGNvbnNvbGUgZXRjLikuIEkgaG9wZSBJIGNv
dWxkIGdpdmUgc29tZSBnb29kIGZlZWRiYWNrLg0KQW5kIHRoYW5rcyB0byBhbGwgb3RoZXIgcGVv
cGxlIGludm9sdmVkLg0KDQpNYXliZSwgc2VlIHlvdSBuZXh0IHRpbWUgOyksDQpBbGV4DQoNCg0K
T24gTW9uZGF5IDEyIFNlcHRlbWJlciAyMDExIDIxOjA4OjI1IEpvaGFubmVzIEJlcmcgd3JvdGU6
DQo+IEZyb206IEpvaGFubmVzIEJlcmcgPGpvaGFubmVzLmJlcmdAaW50ZWwuY29tPg0KPiANCj4g
QWxleGFuZGVyIHJlcG9ydGVkIGEgc3RyYW5nZSBjcmFzaCBpbiBpd2xhZ24gdGhhdA0KPiBNZWVu
YWtzaGkgYW5kIFdleSBjb3VsZG4ndCByZXByb2R1Y2UuIEkganVzdCByYW4NCj4gaW50byB0aGUg
c2FtZSBpc3N1ZSBhbmQgdHJhY2tlZCBpdCBkb3duIHRvIHN0YWNrDQo+IGNvcnJ1cHRpb24uIFRo
aXMgZml4ZXMgaXQuDQo+IA0KPiBUaGUgcHJvYmxlbSB3YXMgaW50cm9kdWNlZCBpbg0KPiBjb21t
aXQgNGI4Yjk5YjZlNjUwZDA1MjdmM2ExMjM3NDRiNzQ1OTk3NjU4MWQxNA0KPiBBdXRob3I6IFdl
eS1ZaSBHdXkgPHdleS15aS53Lmd1eUBpbnRlbC5jb20+DQo+IERhdGU6ICAgRnJpIEp1bCA4IDE0
OjI5OjQ4IDIwMTEgLTA3MDANCj4gDQo+ICAgICBpd2xhZ246IHJhZGlvIHNlbnNvciBvZmZzZXQg
aW4gbGUxNiBmb3JtYXQNCj4gDQo+IENjOiBXZXktWWkgR3V5IDx3ZXkteWkudy5ndXlAaW50ZWwu
Y29tPg0KPiBDYzogTWVlbmFrc2hpIFZlbmthdGFyYW1hbiA8bWVlbmFrc2hpLnZlbmthdGFyYW1h
bkBpbnRlbC5jb20+DQo+IFJlcG9ydGVkLWJ5OiBBbGV4YW5kZXIgRGlld2FsZCA8YWxleEBkaWV3
YWxkLmNjPg0KPiBTaWduZWQtb2ZmLWJ5OiBKb2hhbm5lcyBCZXJnIDxqb2hhbm5lcy5iZXJnQGlu
dGVsLmNvbT4NCj4gLS0tDQo+IFdleSwgcGxlYXNlIGZpeCB5b3VyIHJlY2VudCBjb21taXQgaW4g
b3VyIGludGVybmFsIHRyZWUNCj4gdGhhdCBkb2VzIHRoZSB2MiBvZmZzZXQgY2FsaWJyYXRpb24g
LS0gaXQgaGFzIHRoZSBzYW1lDQo+IGJ1ZyB0d2ljZS4NCj4gDQo+ICBkcml2ZXJzL25ldC93aXJl
bGVzcy9pd2x3aWZpL2l3bC1hZ24tdWNvZGUuYyB8ICAgIDIgKy0NCj4gIDEgZmlsZSBjaGFuZ2Vk
LCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKQ0KPiANCj4gLS0tIGEvZHJpdmVycy9uZXQv
d2lyZWxlc3MvaXdsd2lmaS9pd2wtYWduLXVjb2RlLmMJMjAxMS0wOS0xMg0KPiAyMTowMTozNC4w
MDAwMDAwMDAgKzAyMDAgKysrDQo+IGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvaXdsd2lmaS9pd2wt
YWduLXVjb2RlLmMJMjAxMS0wOS0xMg0KPiAyMTowMTo0My4wMDAwMDAwMDAgKzAyMDAgQEAgLTE2
Nyw3ICsxNjcsNyBAQCBzdGF0aWMgaW50DQo+IGl3bGFnbl9zZXRfdGVtcGVyYXR1cmVfb2Zmc2V0
DQo+IA0KPiAgCW1lbXNldCgmY21kLCAwLCBzaXplb2YoY21kKSk7DQo+ICAJaXdsX3NldF9jYWxp
Yl9oZHIoJmNtZC5oZHIsIElXTF9QSFlfQ0FMSUJSQVRFX1RFTVBfT0ZGU0VUX0NNRCk7DQo+IC0J
bWVtY3B5KCZjbWQucmFkaW9fc2Vuc29yX29mZnNldCwgb2Zmc2V0X2NhbGliLCBzaXplb2Yob2Zm
c2V0X2NhbGliKSk7DQo+ICsJbWVtY3B5KCZjbWQucmFkaW9fc2Vuc29yX29mZnNldCwgb2Zmc2V0
X2NhbGliLCBzaXplb2YoKm9mZnNldF9jYWxpYikpOw0KPiAgCWlmICghKGNtZC5yYWRpb19zZW5z
b3Jfb2Zmc2V0KSkNCj4gIAkJY21kLnJhZGlvX3NlbnNvcl9vZmZzZXQgPSBERUZBVUxUX1JBRElP
X1NFTlNPUl9PRkZTRVQ7DQo=

2011-09-12 19:25:01

by Julia Lawall

[permalink] [raw]

Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption

On Mon, 12 Sep 2011, Daniel Halperin wrote:

> On Mon, Sep 12, 2011 at 12:08 PM, Johannes Berg
> <[email protected]> wrote:
> >
> > --- a/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c ? ? ?2011-09-12 21:01:34.000000000 +0200
> > +++ b/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c ? ? ?2011-09-12 21:01:43.000000000 +0200
> > @@ -167,7 +167,7 @@ static int iwlagn_set_temperature_offset
> >
> > ? ? ? ?memset(&cmd, 0, sizeof(cmd));
> > ? ? ? ?iwl_set_calib_hdr(&cmd.hdr, IWL_PHY_CALIBRATE_TEMP_OFFSET_CMD);
> > - ? ? ? memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(offset_calib));
> > + ? ? ? memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(*offset_calib));
> > ? ? ? ?if (!(cmd.radio_sensor_offset))
> > ? ? ? ? ? ? ? ?cmd.radio_sensor_offset = DEFAULT_RADIO_SENSOR_OFFSET;
>
> Nice catch!
>
> This kinda bug seems ideal for Julia Lawall's stuff to catch, doesn't it?
>
> Right: memcpy(addr, obj, sizeof(*obj))
> Wrong: memcpy(addr, obj, sizeof(obj))

Yes... I have tried in the past the following:

x = <+... sizeof(x) ...+>

But that doesn't catch the above because there is no return value. I will
try it.

julia