Return-path: Received: from smtp.codeaurora.org ([198.145.29.96]:37106 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751350AbcKYJ5S (ORCPT ); Fri, 25 Nov 2016 04:57:18 -0500 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Subject: Re: brcmsmac: fix array out-of-bounds access in qm_log10 From: Kalle Valo In-Reply-To: <1479734949-6300-1-git-send-email-tobias.regnery@gmail.com> References: <1479734949-6300-1-git-send-email-tobias.regnery@gmail.com> To: Tobias Regnery Cc: linux-wireless@vger.kernel.org, arend.vanspriel@broadcom.com, franky.lin@broadcom.com, hante.meuleman@broadcom.com, brcm80211-dev-list.pdl@broadcom.com, Tobias Regnery Message-Id: <20161125095717.EE565613A8@smtp.codeaurora.org> (sfid-20161125_105723_771536_BDDE26C3) Date: Fri, 25 Nov 2016 09:57:17 +0000 (UTC) Sender: linux-wireless-owner@vger.kernel.org List-ID: Tobias Regnery wrote: > I get the following UBSAN warning during boot on my laptop: > > ================================================================================ > UBSAN: Undefined behaviour in drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:280:21 > index 32 is out of range for type 's16 [32]' > CPU: 0 PID: 879 Comm: NetworkManager Not tainted 4.9.0-rc4 #28 > Hardware name: LENOVO Lenovo IdeaPad N581/INVALID, BIOS 5ECN96WW(V9.01) 03/14/2013 > ffff8800b74a6478 ffffffff828e59d2 0000000041b58ab3 ffffffff8398330c > ffffffff828e5920 ffff8800b74a64a0 ffff8800b74a6450 0000000000000020 > 1ffffffff845848c ffffed0016e94bf1 ffffffffc22c2460 000000006b9c0514 > Call Trace: > [] dump_stack+0xb2/0x110 > [] ? _atomic_dec_and_lock+0x150/0x150 > [] ubsan_epilogue+0xd/0x4e > [] __ubsan_handle_out_of_bounds+0xfa/0x13e > [] ? __ubsan_handle_shift_out_of_bounds+0x241/0x241 > [] ? bcma_host_pci_read16+0x59/0xa0 [bcma] > [] ? bcma_host_pci_read16+0x68/0xa0 [bcma] > [] ? read_phy_reg+0xe8/0x180 [brcmsmac] > [] qm_log10+0x2e4/0x350 [brcmsmac] > [] wlc_phy_init_lcnphy+0x538/0x1f20 [brcmsmac] > [] ? wlc_lcnphy_periodic_cal+0x5c0/0x5c0 [brcmsmac] > [] ? ieee80211_open+0xb3/0x110 [mac80211] > [] ? sk_busy_loop+0x1e2/0x840 > [] ? __dev_change_flags+0xae/0x220 > ... > > The report is valid: doing the math in this function, with an input value > N=63 the variable s16tableIndex gets a value of 31. This value is used as > an index in the array log_table with 32 entries. But the next line is: > > s16errorApproximation = (s16) qm_mulu16(u16offset, > (u16) (log_table[s16tableIndex + 1] - > log_table[s16tableIndex])); > > With s16tableIndex + 1 we are trying an out-of-bounds access to the array. > > The log_table array provides log2 values in q.15 format and the above > statement tries an error approximation with the next value. To fix this > issue add the next value to the array and update the comment accordingly. > > Signed-off-by: Tobias Regnery Patch applied to wireless-drivers-next.git, thanks. 4c0bfeaae9f9 brcmsmac: fix array out-of-bounds access in qm_log10 -- https://patchwork.kernel.org/patch/9439423/ Documentation about submitting wireless patches and checking status from patchwork: https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches