Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp967225ybm; Wed, 27 May 2020 12:24:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWrsAOUJhJtdkSqmkNPWMFwU0LDOjz6yaAAohTTNOOwWPOnfpa6uiZwO6/UefWV0IQKc7F X-Received: by 2002:a50:ec0d:: with SMTP id g13mr25159736edr.296.1590607464457; Wed, 27 May 2020 12:24:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590607464; cv=none; d=google.com; s=arc-20160816; b=a9b8GAwbdyzTXfH/t8oTv13gBwerROsGCh92kNbe/lYku7GX8FAUv8z7y1P2Yb2m+m VTBeC6dwMg/F18HH55PeEbUglIoalG1efsiovM07WwGso0O8N24iI3nNV2IoruGOoBXI /tSyFQDZNUK9HSyrnS09x3fHA8JK+0F3mTYgIXIrzLM66ddezlgmZEdsgSP/1xyCUFhn Q9R1zOffHu2hYhZyPpF17y4f5Hkk1VTR6xalhCOi561uxrat/HNH/P86Ln8CRfxQSMWh mu8h5z+moY2ETZu4DC2cM1GLEB/KPLNZAAFRAIiE22DMFfLX4PKmTUF9O3sOqLyzdhME GXDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=jmNFa9+CztBRoiWYFP9+gHfWDzlJqON7/epS5Zkn6lk=; b=zbRdzZVrpusFkLrtufwdPFnLhgZgu3rtQhbB8bW/UG6OqjHIWEFtHquF1atNRrIq81 JhvJY6+Ao1AXpwz7Krq8+29hq7kYng//YNA6ELIWMskqUOIOOo7QSUD7L9yn3A06cVoR YM6H8j0ciDu706JjDHf6KN8ZDwlaMkXC/AOmpY8cfWe9b8VnB1jLnmeSLKLMBNR/uSiU sqsd6MXqyYzNOGLZLUAS+0KvoX0ctRtb+0Wnk2ALmbyzbkf/1MCmX4zP66eUD56Liaqp oaK/hCSvMAw3OEJMP3xWBgXi1TmylWgRF9KgCPvTtWo7eOtGgULCKexAdPe8GJpIo9Z7 eXXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=Ru96PTVz; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x15si2458536ejv.88.2020.05.27.12.24.00; Wed, 27 May 2020 12:24:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=Ru96PTVz; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728037AbgE0Ssp (ORCPT + 99 others); Wed, 27 May 2020 14:48:45 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:50440 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727880AbgE0Ssn (ORCPT ); Wed, 27 May 2020 14:48:43 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 04RIgBmk090245; Wed, 27 May 2020 18:48:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2020-01-29; bh=jmNFa9+CztBRoiWYFP9+gHfWDzlJqON7/epS5Zkn6lk=; b=Ru96PTVzByW49Z4YlQPLBjo1+vfSV1G+F6XPgIVGNXHfN7e/S6TfygA+qOjPwoMlzfmM psNbSU63uCr+KwWi7Gaag3fHZyMNm8Wqel+Nylb8908gVhtSodBrAsTPQf9AJOQrbj3R qT7Bah6YoYQOva9I/xEIehyjC0JTu+8wgAWFAq9UwMMueoY4XeH8q4TW0edCfgg68QHK OV8+khyusyibd6Xc0WfbcJ8PE+5IGdcie0EyNJb8V6s0n3/zSmvXqy7DXVIuOsFdRrbo SbrVW/J09h88ym9psybZ/OFZj2SzQB8alz8TEnqYSGcO+Mc1QrIse1Lp64DbOJMN5vnD Tw== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2120.oracle.com with ESMTP id 318xbk171m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 27 May 2020 18:48:38 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 04RIh2cO164388; Wed, 27 May 2020 18:48:37 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserp3030.oracle.com with ESMTP id 317ddra645-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 27 May 2020 18:48:37 +0000 Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 04RImb8R019953; Wed, 27 May 2020 18:48:37 GMT Received: from mwanda (/41.57.98.10) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 27 May 2020 11:48:36 -0700 Date: Wed, 27 May 2020 21:48:30 +0300 From: Dan Carpenter To: Kalle Valo , Hu Jiahui , Eric Dumazet Cc: security@kernel.org, linux-wireless@vger.kernel.org, Jakub Kicinski Subject: [PATCH v3] airo: Fix read overflows sending packets Message-ID: <20200527184830.GA1164846@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email haha only kidding X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9633 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 mlxscore=0 phishscore=0 adultscore=0 suspectscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005270143 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9633 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 mlxscore=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 cotscore=-2147483648 suspectscore=0 bulkscore=0 clxscore=1015 impostorscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005270143 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from skb->data even when skb->len is less than ETH_ZLEN so it leads to a read overflow. The fix is to pad skb->data to at least ETH_ZLEN bytes. Cc: Reported-by: Hu Jiahui Signed-off-by: Dan Carpenter --- v2: remove an unnecessary if statement increment the ->tx_dropped count on failure fix found two more instances of the same bug. fix typo in the "Cc: " tag v3: I had thought that skb_padto() updated skb->len so that it would always be more than ETH_ZLEN meaning that we could delete the checks for smaller values: "len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;" But I was wrong and those are still required. drivers/net/wireless/cisco/airo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c index 8363f91df7ea7..827bb6d74815a 100644 --- a/drivers/net/wireless/cisco/airo.c +++ b/drivers/net/wireless/cisco/airo.c @@ -1925,6 +1925,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!",__func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } npacks = skb_queue_len (&ai->txq); if (npacks >= MAXTXQ - 1) { @@ -2127,6 +2131,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!", __func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } /* Find a vacant FID */ for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ ); @@ -2201,6 +2209,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb, airo_print_err(dev->name, "%s: skb == NULL!", __func__); return NETDEV_TX_OK; } + if (skb_padto(skb, ETH_ZLEN)) { + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } /* Find a vacant FID */ for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ ); -- 2.26.2