Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4184678rwb;
        Sat, 10 Dec 2022 05:01:28 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5ABPGcf7dfySDImWXiqGfCHMtwFV56TJ1vvceCxUFGM0nnjexc7VoikWO2cvW6ASBpPs80
X-Received: by 2002:a05:6a20:1b30:b0:a4:72af:fb59 with SMTP id ch48-20020a056a201b3000b000a472affb59mr9334187pzb.36.1670677288732;
        Sat, 10 Dec 2022 05:01:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670677288; cv=none;
        d=google.com; s=arc-20160816;
        b=oXKLPXsUiMH0pSih5Ucl0eGyDvy5YkbCmPR8QvbLdTuMP8axwZHU7zO2OoeOch1wU7
         +fEvE95zb7QK+K4AHO4VZIZPHcX1qOoS4Z6QAUPZ13f6VMSL701fFEXq5gfbpeB0Hbjk
         W4HmtzJjvPlVMRo3Jx3OjomPBekvURmEC2qK7ruWHgoX5H8xlSCcIkC3cGC2tp1VN6YO
         A5dGohCDKQStuEoviIXV8wH2TaPmjvSWjIUOEAL3kVB8ScpkouP4f74yErk1XycxkD3y
         RlobfmXWzvl1U01hH51Hw412rdEbjflVPKjHvBVgxvyN4BK5x6wSCT/scOYRdgjbU0Yb
         Q6FQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=THFU9V8kKv1aBT7g4V4zEh/lS0KN2eL2lFh/gad4NKw=;
        b=Rs9WoxtXENECZDv6PnweWjVtR0LPPNRN3HyTRQi10B01oLM79JeVVJM7M2fYfPSlRv
         WyOPERsY9vAImekqE52xyVO/I08gTEapn5d7mnNayUUVM7c8+aVQnTZiV1RFBw26JRVH
         fropSHoGQaXmkCoEr5GrYKFSrsY+TDf8gOLKO8F8si8Hj9vgMtDw55Qs0GQxrmllDXrC
         pI2puz378flbJ3LbygxMc/WXGYrjm1uv9/+16/wyoW7MGK7v465HsnuAwILr0ljbbCKc
         zIUv/nv1NrNJl+ymJQvwG6sPsUpBd/XP4dw3geJi3dF/ilyXwoMOASBMlX46vFJDhwlH
         KVdA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id l64-20020a639143000000b0047895cb1543si4257743pge.874.2022.12.10.05.01.04;
        Sat, 10 Dec 2022 05:01:28 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229761AbiLJMrv (ORCPT <rfc822;hsy1995313@gmail.com> + 66 others);
        Sat, 10 Dec 2022 07:47:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47226 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229710AbiLJMrt (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sat, 10 Dec 2022 07:47:49 -0500
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A11C4BC05;
        Sat, 10 Dec 2022 04:47:44 -0800 (PST)
Received: from kwepemi500012.china.huawei.com (unknown [172.30.72.57])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NTncc0g3VzqSyh;
        Sat, 10 Dec 2022 20:43:28 +0800 (CST)
Received: from [10.67.111.176] (10.67.111.176) by
 kwepemi500012.china.huawei.com (7.221.188.12) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.34; Sat, 10 Dec 2022 20:47:40 +0800
Message-ID: <40c4ace2-68f3-5e7d-2e68-7ea36a104a28@huawei.com>
Date:   Sat, 10 Dec 2022 20:47:39 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.3.0
Subject: Re: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in
 _rtl8812ae_phy_set_txpower_limit()
Content-Language: en-US
To:     Ping-Ke Shih <pkshih@realtek.com>,
        "kvalo@kernel.org" <kvalo@kernel.org>,
        "davem@davemloft.net" <davem@davemloft.net>,
        "edumazet@google.com" <edumazet@google.com>,
        "kuba@kernel.org" <kuba@kernel.org>,
        "pabeni@redhat.com" <pabeni@redhat.com>
CC:     "Larry.Finger@lwfinger.net" <Larry.Finger@lwfinger.net>,
        "linville@tuxdriver.com" <linville@tuxdriver.com>,
        "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <20221207152319.3135500-1-lizetao1@huawei.com>
 <e985ead3ea7841b8b3a94201dfb18776@realtek.com>
From:   Li Zetao <lizetao1@huawei.com>
In-Reply-To: <e985ead3ea7841b8b3a94201dfb18776@realtek.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.67.111.176]
X-ClientProxiedBy: dggpeml500012.china.huawei.com (7.185.36.15) To
 kwepemi500012.china.huawei.com (7.221.188.12)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hi Ping-Ke,

On 2022/12/9 13:11, Ping-Ke Shih wrote:
>
>> -----Original Message-----
>> From: Li Zetao <lizetao1@huawei.com>
>> Sent: Wednesday, December 7, 2022 11:23 PM
>> To: Ping-Ke Shih <pkshih@realtek.com>; kvalo@kernel.org; davem@davemloft.net; edumazet@google.com;
>> kuba@kernel.org; pabeni@redhat.com
>> Cc: lizetao1@huawei.com; Larry.Finger@lwfinger.net; linville@tuxdriver.com;
>> linux-wireless@vger.kernel.org; netdev@vger.kernel.org; linux-kernel@vger.kernel.org
>> Subject: [PATCH] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
>>
>> There is a global-out-of-bounds reported by KASAN:
>>
>>    BUG: KASAN: global-out-of-bounds in
>>    _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>>    Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411
>>
>>    CPU: 6 PID: 411 Comm: NetworkManager Tainted: G      D
>>    6.1.0-rc8+ #144 e15588508517267d37
>>    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
>>    Call Trace:
>>     <TASK>
>>     ...
>>     kasan_report+0xbb/0x1c0
>>     _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
>>     rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]
>>     rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]
>>     ...
>>     </TASK>
>>
>> The root cause of the problem is that the comparison order of
>> "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The
>> _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two
>> strings, so this requires the length of the two strings be greater
>> than or equal to n. In the  _rtl8812ae_phy_set_txpower_limit(), it was
>> originally intended to meet this requirement by carefully designing
>> the comparison order. For example, "pregulation" and "pbandwidth" are
>> compared in order of length from small to large, first is 3 and last
>> is 4. However, the comparison order of "prate_section" dose not obey
>> such order requirement, therefore when "prate_section" is "HT", it will
>> lead to access out of bounds in _rtl8812ae_eq_n_byte().
>>
>> Fix it by adding a length check in _rtl8812ae_eq_n_byte(). Although it
>> can be fixed by adjusting the comparison order of "prate_section", this
>> may cause the value of "rate_section" to not be from 0 to 5. In
>> addition, commit "21e4b0726dc6" not only moved driver from staging to
>> regular tree, but also added setting txpower limit function during the
>> driver config phase, so the problem was introduced by this commit.
>>
>> Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree")
>> Signed-off-by: Li Zetao <lizetao1@huawei.com>
>> ---
>>   drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> index a29321e2fa72..720114a9ddb2 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
>> @@ -1600,7 +1600,7 @@ static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint)
>>
>>   static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num)
>>   {
> This can causes problem because it compares characters from tail to head, and
> we can't simply replace this by strncmp() that does similar work. But, I also
> don't like strlen() to loop 'str1' constantly.
>
> How about having a simple loop to compare characters forward:
>
> for (i = 0; i < num; i++)
>      if (str1[i] != str2[i])
>           return false;
>
> return true;

Thanks for your comment, but I don't think the problem has anything to 
do with head-to-tail or

tail-to-head comparison. The problem is that num is the length of str2, 
but the length of str1 may

be less than num, which may lead to reading str1 out of bounds, for 
example, when comparing

"prate_section", str1 may be "HT", while str2 may by "CCK", and num is 
3. So I think it is neccssary

to check the length of str1 to ensure that will not read out of bounds.


Looking forward to your comments.


With Best Regards,

Li Zetao

>> -	if (num == 0)
>> +	if (num == 0 || strlen(str1) < num)
>>   		return false;
>>   	while (num > 0) {
>>   		num--;
>> --
>> 2.31.1
>>
>>
>> ------Please consider the environment before printing this e-mail.