Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp2337189pxv; Sat, 17 Jul 2021 10:34:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcfHnQmVwLT5gaUryRgh9Y+wdn4H6VfRwNS0Hgg2oQ3unsprPrg78lOT7EIppJoeNvi85d X-Received: by 2002:a92:a30d:: with SMTP id a13mr10830828ili.236.1626543263539; Sat, 17 Jul 2021 10:34:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626543263; cv=none; d=google.com; s=arc-20160816; b=El5cLiL83DtoB4XjaPIH0PsCFhWoVeVwxwBZiEedVkOhr82IsJUzBeY5oXJotHBf3O kK527yD95ZvRL1LMBkyezZQLOWtuxzmMei2H0zquEC1lBroftJzTBIByjBU0u+QYZ1Is R/TesEC6z9clz7rPPBN8lKKchR5Yk8xqTjXqqytK7Jd2lAeWArehVKwByebfRH/lHXWW NAEs1Q/nEJdx3zpq/af4CO3FhAhJVLeUme4etVLUNB0Po9nvQFfZtEbDcVfR/qM07nn/ 4vjFepaBLSxm7RFryn+LJGqnMkEyNrC2VeT+x/S2D1mdOTFlG107+T0Gn5LgvYTzsf/x AK4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=z8SdfgGNKRWu++Tzt1umo1lJ9b5eBG6ag7E+Pqlr7Bs=; b=fI+gSH92PNqsNxc8YKMX1hUjjA6ONCSEXMsjA+L7s33KeaVhwD8/ntfzrSF2yzZYWl fH4XtWTYsYq7wN1Wlw9CA2tzRLZHdTwvUJvS/DDa3Y8qF8WX00MBYV0NAxS6Cg7IMeER Nqk7S4AUlFkmfbzV8GabcdDds8P0lEiLfZfPmzwXPQpWKVkeBIjRP6ms3k5MUwd/1oB5 1PJmGvf0g0O7eemy7blFlskvRTo6inqIThH2/vl/zYw/eRCrs+e7gorn+A/3zUvgPr6a xdS/BM/1mCgMJ36M/Swx38Y/MJ1CXk7Hv/9yumh2FplX2csT9D4cenVXDqS6OVF3M2+F sqdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lBbpu4ns; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si3814252ilh.139.2021.07.17.10.34.02; Sat, 17 Jul 2021 10:34:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lBbpu4ns; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233441AbhGQRgy (ORCPT + 99 others); Sat, 17 Jul 2021 13:36:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:34376 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232828AbhGQRgy (ORCPT ); Sat, 17 Jul 2021 13:36:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2761360FE9; Sat, 17 Jul 2021 17:33:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626543236; bh=GDqTCOO4uFGwemmRAEP2WS2n7BZO4bDcvurji9/tB1g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lBbpu4nsV39zDRohQAu43Y327W1pCIkBvQrXND3O1vZP3qSqvDY+SOe5O+rOxL1tn 3wvZK+CjfK8Hg5EShc+7YSXxgSHT8qFPXAXs6wD/0El/TMcpcx9ZMil5go+I9AKXk6 dQKb9NBQ2MWsHcjBchVILzoX3mE7Q0oYVfWfSUcc= Date: Sat, 17 Jul 2021 19:33:49 +0200 From: Greg KH To: Len Baker Cc: Brian Norris , Yan-Hsuan Chuang , Kalle Valo , "David S. Miller" , Jakub Kicinski , Stanislaw Gruszka , Pkshih , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] rtw88: Fix out-of-bounds write Message-ID: References: <20210716155311.5570-1-len.baker@gmx.com> <20210717133343.GA2009@titan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210717133343.GA2009@titan> Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Sat, Jul 17, 2021 at 03:33:43PM +0200, Len Baker wrote: > On Fri, Jul 16, 2021 at 07:20:48PM +0200, Greg KH wrote: > > On Fri, Jul 16, 2021 at 05:53:11PM +0200, Len Baker wrote: > > > In the rtw_pci_init_rx_ring function the "if (len > TRX_BD_IDX_MASK)" > > > statement guarantees that len is less than or equal to GENMASK(11, 0) or > > > in other words that len is less than or equal to 4095. However the > > > rx_ring->buf has a size of RTK_MAX_RX_DESC_NUM (defined as 512). This > > > way it is possible an out-of-bounds write in the for statement due to > > > the i variable can exceed the rx_ring->buff size. > > > > > > However, this overflow never happens due to the rtw_pci_init_rx_ring is > > > only ever called with a fixed constant of RTK_MAX_RX_DESC_NUM. But it is > > > better to be defensive in this case and add a new check to avoid > > > overflows if this function is called in a future with a value greater > > > than 512. > > > > If this can never happen, then no, this is not needed. > > Then, if this can never happen, the current check would not be necessary > either. > > > Why would you check twice for the same thing? > > Ok, it makes no sense to double check the "len" variable twice. So, I > propose to modify the current check as follows: > > diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c > index e7d17ab8f113..0fd140523868 100644 > --- a/drivers/net/wireless/realtek/rtw88/pci.c > +++ b/drivers/net/wireless/realtek/rtw88/pci.c > @@ -268,8 +268,8 @@ static int rtw_pci_init_rx_ring(struct rtw_dev *rtwdev, > int i, allocated; > int ret = 0; > > - if (len > TRX_BD_IDX_MASK) { > - rtw_err(rtwdev, "len %d exceeds maximum RX entries\n", len); > + if (len > ARRAY_SIZE(rx_ring->buf)) { > + rtw_err(rtwdev, "len %d exceeds maximum RX ring buffer\n", len); > return -EINVAL; > } > > This way the overflow can never happen with the current call to > rtw_pci_init_rx_ring function or with a future call with a "len" parameter > greater than 512. What do you think? > > If there are no objections I will send a v3 for review. > > Another question: If this can never happen should I include the "Fixes" tag, > "Addresses-Coverity-ID" tag and Cc to stable? If it can never happen, why have this check at all? Looks like a Coverity false positive? thanks, greg k-h