Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1486313pxv; Fri, 16 Jul 2021 10:22:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybd0UYgSWlrjKEQthmmf/fwusfBGgfDYcL473rrCtcGsZhRA1mafh42BJTY5B5yZbCNlYa X-Received: by 2002:a50:ed89:: with SMTP id h9mr16097892edr.106.1626456148431; Fri, 16 Jul 2021 10:22:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626456148; cv=none; d=google.com; s=arc-20160816; b=axRQnEdP7WRvUZcj+zJZsZPeQ9IDs+qP9uTYGhwELdbBErLslREsF4RLzEpV6YsjK/ zKxwqH/TLF5IwY3iQDn+dcv4QeGKFis/QfC7kUoSKAMwYbkKpainLhYi4shr5FqdokoT iakqmTa3WI0UxW8C5x7NK+39i5Mg33jxlln7hhTw1uvwsBZq5CAckxL3SQzAHSS5vHin BhyLTiisoHdlOPeUSdW5SyIOSBDobbRsci2OLQ5k67mbNcMGAsMVDaD4omB48CKtgbPM 7y5miVEY/k3RKvPNpipIG2NnTZZC0JUl/LrzKO87TUN0PH7NnsviCWXGDElPg9glDm9T vVdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=d69Z+J2NDJ1Q/fEgUZTCeVq13TS78rPxEEKZ/viLRRg=; b=v50z5xZThITi3H0/+O/xcl795Um3aed36tEO85QktEFlHtuTGH+crYgLSkM3wVeHMd hgcSRr+FIpSU2NQ21F7+02bATyIMmNzBgT/xvFpIgQay2ei4JYI5tlHLcuc8hzi4N6Im ryReQFC/rOs1Jpp2+pGyYPXUUw/U3faq8NxilfcQqbAQVUBZHOCMUj/zJG27fDYcds9k QGHntZRaKYJMzmtkfWxJBtZynXU1LbBwK7KypwN5w8AxaneBEwjJXiu9QgnT59H5/7+I vvxX00ZwhnO2YSG/foMmbK8WCUWdyjLAbhB62p6ZmQPhRfxQDBp7cvQeKNvOzkfi6Emb wFmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AoH/UlbG"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w9si12991415edx.213.2021.07.16.10.21.57; Fri, 16 Jul 2021 10:22:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AoH/UlbG"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230431AbhGPRYu (ORCPT + 99 others); Fri, 16 Jul 2021 13:24:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:56526 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231195AbhGPRXw (ORCPT ); Fri, 16 Jul 2021 13:23:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2BBB4613F6; Fri, 16 Jul 2021 17:20:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626456054; bh=N5GhpdYtkMLYCoImrlzc1ma0sto2kRkmBuZwOljwAOI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=AoH/UlbGrD9OromDziDnSXri7ny7u60h2seb3RvxcSqqzpUVrXTuB9ym3nLtZFk3U wLYJurnEJHu3gW6DwEYyLGuL0FCcMdk6Y2d9fa+WkiV8zRiuZJbIaPn/bmW+JoxHcB 6N3YcaGa/RDsS/NGdRoi7l3ihsviBy53XgfkotdQ= Date: Fri, 16 Jul 2021 19:20:48 +0200 From: Greg KH To: Len Baker Cc: Yan-Hsuan Chuang , Kalle Valo , "David S. Miller" , Jakub Kicinski , Stanislaw Gruszka , Brian Norris , Pkshih , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] rtw88: Fix out-of-bounds write Message-ID: References: <20210716155311.5570-1-len.baker@gmx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210716155311.5570-1-len.baker@gmx.com> Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, Jul 16, 2021 at 05:53:11PM +0200, Len Baker wrote: > In the rtw_pci_init_rx_ring function the "if (len > TRX_BD_IDX_MASK)" > statement guarantees that len is less than or equal to GENMASK(11, 0) or > in other words that len is less than or equal to 4095. However the > rx_ring->buf has a size of RTK_MAX_RX_DESC_NUM (defined as 512). This > way it is possible an out-of-bounds write in the for statement due to > the i variable can exceed the rx_ring->buff size. > > However, this overflow never happens due to the rtw_pci_init_rx_ring is > only ever called with a fixed constant of RTK_MAX_RX_DESC_NUM. But it is > better to be defensive in this case and add a new check to avoid > overflows if this function is called in a future with a value greater > than 512. If this can never happen, then no, this is not needed. Why would you check twice for the same thing? thanks, greg k-h