Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp247805rwb; Sun, 6 Nov 2022 05:34:27 -0800 (PST) X-Google-Smtp-Source: AMsMyM5XvhdZ+b5XEkQcheB8yUbGV76RGMw3njyOxG7bU0GokeZaAORrMGqw5fzZ/PshyiFucCar X-Received: by 2002:a05:6402:5253:b0:461:e870:8507 with SMTP id t19-20020a056402525300b00461e8708507mr44993940edd.323.1667741667629; Sun, 06 Nov 2022 05:34:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667741667; cv=none; d=google.com; s=arc-20160816; b=JoeMvCYJgfERL/0UHu0lW/WxqzDmq2HUVgPUD0fB7U9xnY2yao7x+XntMQFErMPu+R hybvxLR9Q4LaWaU7/hhIz5Z0RAcfQix18gcDEcJA1cq1+PtWuzw4c21tr5a5jeIAbyiu iSeI8Wl80E3JMHrTmUBOt2CawH4z8Ir00Q/sxd0kcWwil5VDUHhOE5lIPGTCeisx6Ppy 3myE7V4zotWtAfcnxsC9oNGyx6IODvu1dpzE4fVGqX3Y3HQAkIkVkXhznmijz0gsQdJ2 H5+19EHFbwN16n1Kn1PIP2zCfEBorCeEteTSPFxHg3eU3/c+BOCEnsudvR25qtAhhq1B yHUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=hZ2ORNh7F7gnp3LUn46oncxe2sop3ZUApDvsfAUgv6Y=; b=m3+4+inZWZ9K3FRGyFnPawMfkmKD0wYfqxYJ6hyEy9Bt4foE43jlM0aG5TryyLMfYH +NW0qGxSrbwhXM7Mf77MwX+QW6gv1LDDekcynitfBwjkG8DltgJT72WpOZXCkhUiRsTj F9SFnmCuj9kR/Ae8L2Pdw8tJ3L2RHBziAXiEqNan7n108/IE/WYciZHDa+9bZv/V6fOf chW+3QzTclyDDZkXHjQbc2cQm3kqrXAaYL0S3wuD8znKnMXZh2JU5dz0twQKAGwi7iee yRzZFO9VgENrdMdR214nHLduPN7hKcbhLVaWQV5coYPs9+SpIgreBW8ieBN2LygNRP+a DwaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kkhwENq2; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v8-20020a056402348800b0045ca1098d05si6516688edc.349.2022.11.06.05.34.06; Sun, 06 Nov 2022 05:34:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kkhwENq2; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229933AbiKFNdL (ORCPT + 67 others); Sun, 6 Nov 2022 08:33:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229804AbiKFNdK (ORCPT ); Sun, 6 Nov 2022 08:33:10 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56E9BDF29 for ; Sun, 6 Nov 2022 05:32:57 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E69E860C52 for ; Sun, 6 Nov 2022 13:32:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C51F6C433C1; Sun, 6 Nov 2022 13:32:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1667741576; bh=NdomuvtmFrX/e0TgpHVyjjWJ0cy2eLP+AsJjEZj/Yyc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kkhwENq2Qqo20KAt29JWR+0rTg6yenxLs//NzB3StUm7tJiEhIeBHqdRiBUijIIbK NsVkazIdvQ40uXDgIisszShNTMmQx6jm205cLm02SeELvDwjTobFYJBt/hwZIes279 Thp6qFJctuRWSPKcdG27R70TE4tW7HYNsTVrOc3/ZrSjVrxHD8RROK1GE4MQeaaLUa qVYPOd4DACYKutMUsD236x4wqGIlpD66IOVLE2Txv2mGNyh3WS+G/Mfd5fWBa94pq0 xhD0SdeBiu+0lkipZcwmYLgqVTPz0iGM/I1xd/7cRDlHjxMIw+Vm47hUoB2G8CVZtR c3NFfoYXVoGyw== Date: Sun, 6 Nov 2022 14:32:52 +0100 From: Lorenzo Bianconi To: Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= Cc: linux-wireless@vger.kernel.org, bjlockie@lockie.ca, johannes@sipsolutions.net, nbd@nbd.name Subject: Re: [PATCH wireless] wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration Message-ID: References: <08b259df20d9e61c5b852bf8b96db7272dbb1767.1667730476.git.lorenzo@kernel.org> <87mt94w94y.fsf@toke.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="F+21+hpEgfp+lzCb" Content-Disposition: inline In-Reply-To: <87mt94w94y.fsf@toke.dk> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org --F+21+hpEgfp+lzCb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Lorenzo Bianconi writes: >=20 > > Fix possible out-of-bound access in ieee80211_get_rate_duration routine > > as reported by the following UBSAN report: > > > > UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 > > index 15 is out of range for type 'u16 [12]' > > CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic > > Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 > > Workqueue: mt76 mt76u_tx_status_data [mt76_usb] > > Call Trace: > > > > show_stack+0x4e/0x61 > > dump_stack_lvl+0x4a/0x6f > > dump_stack+0x10/0x18 > > ubsan_epilogue+0x9/0x43 > > __ubsan_handle_out_of_bounds.cold+0x42/0x47 > > ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] > > ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] > > ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] > > ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] > > mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] > > mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] > > mt76u_tx_status_data+0x67/0xd0 [mt76_usb] > > process_one_work+0x225/0x400 > > worker_thread+0x50/0x3e0 > > ? process_one_work+0x400/0x400 > > kthread+0xe9/0x110 > > ? kthread_complete_and_exit+0x20/0x20 > > ret_from_fork+0x22/0x30 > > > > Reported-by: bjlockie@lockie.ca > > Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt= 76") > > Signed-off-by: Lorenzo Bianconi > > --- > > net/mac80211/airtime.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c > > index 2e66598fac79..4ed05988131d 100644 > > --- a/net/mac80211/airtime.c > > +++ b/net/mac80211/airtime.c > > @@ -452,6 +452,9 @@ static u32 ieee80211_get_rate_duration(struct ieee8= 0211_hw *hw, > > (status->encoding =3D=3D RX_ENC_HE && streams > 8))) > > return 0; > > =20 > > + if (WARN_ON_ONCE(idx >=3D MCS_GROUP_RATES)) > > + return 0; > > + >=20 > So presumably this is something that can actually happen in real usage, > so should we really warn? Or was the driver also fixed to not trigger > this? looking at the mt76x02 support, MT_RATE_INDEX_VHT_IDX is GENMASK(3, 0) so t= he hw can report rate_idx up to 15. Do you prefer to drop WARN_ON_ONCE()? I wo= uld prefer to keep it since it informs us something nasty occurred (and at the = end it just runs ones), but I can live even w/o it :) Regards, Lorenzo >=20 > -Toke --F+21+hpEgfp+lzCb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHQEABYKAB0WIQTquNwa3Txd3rGGn7Y6cBh0uS2trAUCY2e3hAAKCRA6cBh0uS2t rIi5AP9cdWYPJ5G570oUrKQq80pAE/4q6ZaGNyOdJWR0TlDtDQD4yD7SFLuS3txK rFByWDUqJMn1OCMq/5GJ2ItArG8pAw== =Yh9/ -----END PGP SIGNATURE----- --F+21+hpEgfp+lzCb--