Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp265133ybg; Tue, 2 Jun 2020 23:41:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytgKxxlataKwTOr01sz4ZQ/dHW3H7mMTdSMPjeQznXTKQ6QKnuUlvrV/cbm+gE3RGwAcD7 X-Received: by 2002:a17:906:1116:: with SMTP id h22mr562710eja.350.1591166505695; Tue, 02 Jun 2020 23:41:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1591166505; cv=pass; d=google.com; s=arc-20160816; b=L6NjIeZg2w3RDrQhatu0d/CR+4JanC/2RefNN9NmUdBh72o7/P1rAh+2FqtOy/Qw4K XhiLxtsRq+WWz+sKzbrPWnkBCT2u4Zk5N7eTk7xg8Gp8HwV2egB9NXqcv3qyAxFPfOBH eExkcsbm5X9kY3Nsi3pgM4NOw3Wn1ZlHshRoLaf6BTnVZzPPS+AL4bT0Usw1xlpmSdOm B5T86grWfe5wnXBD5CfTpS0Pn+7MQUg68Z+Lq3ctUfb3tW4q6MsLVKvxsa2IBgigva1f J0WboGdMwHfyd79BQApB3OcrBspx8XKbwdxumzSwGVtvXwy0tSIWmPAH7okv8vGKTsSv ulsw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:in-reply-to:user-agent:date:message-id:from :references:cc:to:subject:dkim-signature; bh=gwaCu+fkRQlMxNU81rXoF4YaX8bSZmcahvHQbDAdSUw=; b=fw6vObtfDJC6lbq9v6MTjl+7KTBzsUM1jT3V7otUyL34EZth8ziqcwtSKYmbOWlZHo 3SoF6cOEc4kv4fSlIvVf9k7KIyC41kzu/Xh/fw/NDJcY6hnLR9mYA942Mh8LyoQJjINv 6zeUMCYbQJFXoDNbr/FBq284ZbkTfl7M+1ZJi4+xCr8Gnwu5pXcGw4NqRCTn3D4aI103 qZ1lSZPp+eGQTsm8PNnk3lg++f1BYCFVfpBvXVyYk6h3JFi/8hG/0z3XGGojLqayI/Mi wou9I6q7K37Lmv/AvC8jxHcTtdSNqxLYE0/q4FhtJ40SuT9DytjC6w0Fgs8R8v9dTaNt SjpA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cypress.com header.s=selector1 header.b=b1JaxLmy; arc=pass (i=1 spf=pass spfdomain=cypress.com dkim=pass dkdomain=cypress.com dmarc=pass fromdomain=cypress.com); spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cypress.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rh3si595096ejb.539.2020.06.02.23.41.06; Tue, 02 Jun 2020 23:41:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cypress.com header.s=selector1 header.b=b1JaxLmy; arc=pass (i=1 spf=pass spfdomain=cypress.com dkim=pass dkdomain=cypress.com dmarc=pass fromdomain=cypress.com); spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cypress.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725927AbgFCGkz (ORCPT + 99 others); Wed, 3 Jun 2020 02:40:55 -0400 Received: from mail-dm6nam12on2134.outbound.protection.outlook.com ([40.107.243.134]:32161 "EHLO NAM12-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725275AbgFCGkz (ORCPT ); Wed, 3 Jun 2020 02:40:55 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RTMzD0k+PsBEeFEc0/wroDNkLBI8e3iMxH1bvDskUGrZ3Fgp+DYUOHsAHs9pBocipnAUBkkOmWGqixHsyhou/U1EoSs612Hm3+KuzWrwtzdziVxCzNZQuJXXgRmizP720NB2ZSUFrr7+bfwAWkUZjRxDW/MQo6rIwwlYhoEKKhykO8mxnz8rd0uyHgHsid2z8SOYNmiSi/631NrzrFif4x8cVpe/iVtxJrHw9MGP5zB/MDapfrt5Ql/NThV2fhuJ5DtomLb2bGeUWAOEEqpPxNTIAITIIe/AaebGQOogl8mrxxVS5RvSeC9FWk+ZX1N6GrdQkaRnC2DFWw1SqJTbNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gwaCu+fkRQlMxNU81rXoF4YaX8bSZmcahvHQbDAdSUw=; b=Mm7puI4qe4K06aIz4C7CDT/McnYl9qCGPheRll506qIiPFcoRcE713UXYJnsujWqzBHKUN4Rc3adcr3zEUX/BCw1C3P4S6jAI1dZJpgcIG+o5iDETPHZOfg/169faci0FwKeeK5t58BGX9sarBu6No6qFKB+07evna9kw4siMsoyfCC49/HFo/ionVYrzp5X2Y8Wi6yDiJwDQtM0cufMEyF3vS12YLbGvH/YGNeU8D02wRPh99ROz67oIGQmCv8P3nYSDT4/B9LsxinPJ07oR0JdhnEiss1EdbEdC4Bp5rpgIGszPTJ+EeUzOjpd4aFR58dd1MFKimJbjyE/wZ7lWQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cypress.com; dmarc=pass action=none header.from=cypress.com; dkim=pass header.d=cypress.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cypress.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gwaCu+fkRQlMxNU81rXoF4YaX8bSZmcahvHQbDAdSUw=; b=b1JaxLmyAWzf5a3CzA0hvJLoBTFGEbUbsgq1Zn6RFlD8qiX9N/cBsmS0CK4doqGbN7WpWCnWwLZafR7kpZAMrxYeIGJu4X1ysioA1f9jbb2GC/fkNSU6dAoXOfAKEDTTYlVEkJ+ZaA65OmdRREc6U0DbY06GUSZm0b4pqq8MfzI= Authentication-Results: cypress.com; dkim=none (message not signed) header.d=none;cypress.com; dmarc=none action=none header.from=cypress.com; Received: from DM6PR06MB4748.namprd06.prod.outlook.com (2603:10b6:5:fd::18) by DM6PR06MB4393.namprd06.prod.outlook.com (2603:10b6:5:1d::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.19; Wed, 3 Jun 2020 06:40:51 +0000 Received: from DM6PR06MB4748.namprd06.prod.outlook.com ([fe80::9f0:c02f:7b54:51eb]) by DM6PR06MB4748.namprd06.prod.outlook.com ([fe80::9f0:c02f:7b54:51eb%5]) with mapi id 15.20.3066.018; Wed, 3 Jun 2020 06:40:51 +0000 Subject: Re: [PATCH 1/5] brcmfmac: To fix kernel crash on out of boundary access To: Florian Fainelli , linux-wireless@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com, brcm80211-dev-list@cypress.com, Arend van Spriel , Franky Lin , Hante Meuleman , Kalle Valo , chi-hsien.lin@cypress.com, Raveendran Somu References: <20200601071953.23252-1-wright.feng@cypress.com> <20200601071953.23252-2-wright.feng@cypress.com> <8fe5fdf5-1b26-a127-3567-321017455a49@gmail.com> From: Wright Feng Message-ID: <69c1658c-fb6c-e410-49df-2c98cb8501b0@cypress.com> Date: Wed, 3 Jun 2020 14:40:42 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 In-Reply-To: <8fe5fdf5-1b26-a127-3567-321017455a49@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-ClientProxiedBy: TYXPR01CA0049.jpnprd01.prod.outlook.com (2603:1096:403:a::19) To DM6PR06MB4748.namprd06.prod.outlook.com (2603:10b6:5:fd::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.50.236] (123.194.189.67) by TYXPR01CA0049.jpnprd01.prod.outlook.com (2603:1096:403:a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Wed, 3 Jun 2020 06:40:48 +0000 X-Originating-IP: [123.194.189.67] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 3bb1a818-3273-427e-d8f6-08d807890ecc X-MS-TrafficTypeDiagnostic: DM6PR06MB4393: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:260; X-Forefront-PRVS: 04238CD941 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bsl1AsL4RjkPEYtnwc9aGlHKlx8lQdsPfL7/GT11XIO3rTZnRP80HBDvXjn9RHYk8zulizUpjixo+4p0D7XvnLJ5+5BiJ9C2B/nNWUfU0IYLyglmwmKldhNXeyb7OMn1QHsEqKfcj9RodepqvlDoTkpN3GsP4VhZxbrxNBPB5GDVeSz+2zaMnKrzsXRNZPP6gn/ASkbrXYGviWXmg8MOxD1XzELgPC725RiJVYJadXVe82k+TPJnnQdvVgTLhdkfZrywJwWrgoDN5C2zbyeBOgLH3R3n7EyDz8h6TCP1bxzpZJEYVXqfXvGrSC+EQ/ftWwteH8eSOxGhrFvoAUSalibetFI+Lj9vG00bj+pHkdbUf2y5ep+VahgYozIKCBxT X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR06MB4748.namprd06.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(39860400002)(396003)(376002)(366004)(136003)(346002)(2616005)(956004)(36756003)(2906002)(4326008)(52116002)(26005)(6666004)(5660300002)(53546011)(186003)(16526019)(8676002)(31686004)(6486002)(66946007)(66476007)(478600001)(107886003)(8936002)(86362001)(54906003)(31696002)(16576012)(44832011)(316002)(83380400001)(66556008)(43740500002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData: nLm1sSchUlrEWIAAPWpfb5j1rOc2Ob3EQ9J6sIbc4O3/kleUEQDjxeAvGg5eaMngkUjvCReyjLCBbhBn/nkuR7RW5txAWJdy6DnLmjKANB/i7MGShN57vnfDuqybakxnd9uMkpxlfN0QgsFyJKGTJ0HwkJKt1MuJ57mHf0TUfzpeabEesK+QZ125wCeaB3PzO5Ourec1wOsMBHv4vqG0biRDVo6t6Z7v6k90MggPapkfzlhGH1/Q4IV6UMOO2y5mYfFO4/Jje8bOkP5u5bApj/aI8+DA0sDIbiuwex59mTEzCyna5xPCnANExG3kt1zpst4zUevyme5uPyVDfdk+kGIO1BWU+6I1lKFp8L3EcZjL4mV3HseElPblFRGwrbSsO7JAJ7bw5WvOUNA7Ar9Gdbz5apCAs8CEJyEBUPqWBPFmXtaoSRN/pBHYUOnkdF5TIO24L0+3E5WT9StricH/O1seTBZ4tupjJwewPzhHiaM19xVKK2WwMzabJK6HmVaw X-OriginatorOrg: cypress.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3bb1a818-3273-427e-d8f6-08d807890ecc X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2020 06:40:51.6239 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 011addfc-2c09-450d-8938-e0bbc2dd2376 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OiFl3K1LUHDQGyeO2h/IgpIBFvcQE2S64AeTH9O2Fm2Z9wtUaR3FhYbFEPcFXdt/ZdTc3/leZuJytuiyvUQiCg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR06MB4393 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Florian Fainelli 於 6/2/2020 12:34 PM 寫道: > > > On 6/1/2020 12:19 AM, Wright Feng wrote: >> From: Raveendran Somu >> >> To trunkcate the addtional bytes, if extra bytes been received. > > typo: truncate. Missing "have been received". Thanks for catching this, Raveendran will correct it in V2. > >> Current code only have a warning and proceed without handling it. >> But in one of the crash reported by DVT, these causes the >> crash intermittently. So the processing is limit to the skb->len. >> >> Signed-off-by: Raveendran Somu >> Signed-off-by: Chi-hsien Lin >> Signed-off-by: Wright Feng >> --- >> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c >> index 09701262330d..531fe9be4025 100644 >> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c >> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c >> @@ -1843,6 +1843,9 @@ void brcmf_fws_hdrpull(struct brcmf_if *ifp, s16 siglen, struct sk_buff *skb) >> >> WARN_ON(siglen > skb->len); >> >> + if (siglen > skb->len) >> + siglen = skb->len; > > Does it make sense to keep the WARN_ON() one live above then? Regarding the change, I believe it is better to have the WARN_ON as getting something more than expected is indicating the violation of protocol.So it may be better to leave the warning, instead of quietly correctly it, which can help in identifying the malicious operations. If the warning is not complying with the rules, we can remove it, if not we suggest to have it. >> + >> if (!siglen) >> return; >> /* if flow control disabled, skip to packet data and leave */ >> >