Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6030936rwb; Sun, 11 Dec 2022 17:41:41 -0800 (PST) X-Google-Smtp-Source: AA0mqf5/UhuW/cpBG9gus6mldRqtb8zOUsn+urIm4Y6ueQjk9nfKPu9cckBqoUxh5AqKhtqzYAE7 X-Received: by 2002:a17:90b:1058:b0:219:9a95:ac1b with SMTP id gq24-20020a17090b105800b002199a95ac1bmr16254715pjb.21.1670809301468; Sun, 11 Dec 2022 17:41:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670809301; cv=none; d=google.com; s=arc-20160816; b=yLLU2ArEUbGxyll36EerELAi8K35dWpuTaCJfXA88y6vsLg5F4Ur24/hRYbrDKdVEB v4NFlsgii7fDwGskpMotsz17HPoYaS+OWL24iYqIyNEeASTjTnflE2s26aa4sWP36ZBG 6hVFg4fS7iHElDbFS4bHeD6h3N+QOmZJZ5FZMz9PfNE3SnFSAPRSD+T03ZqjuFmd5ML8 0V50tkV5Mb69MrlWo4Ly/lHRTWqwq9YBqP1I2HNMeqLEOWmtY3Wakf6MUEueau2JleE4 RhIvVmpl8wm0KIJXhrEhUkD/exZ/57A4mZvutGZ/i9MImTk/P2H3W6tEetMrJNW1LKuG lrNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:authenticated-by; bh=heTXb1k3L1BZKU6UiMK8w8HJzV8rOJttu5B0m2wRfI8=; b=ifvn+1zdWJ3x4g9pUpBKghd8HXrMYsnvJy3FQRuD5Ym4BOhYxAgkue1tF3ZI7wvjsv kikW0zvALnPXTO/6YIBo1IqW0/P2SPkHQHN1/In+zIXaReJ/STp+bvXDU3Qz6TaMYUtU 74RTzN6pdxmos6WgkkRC0V023Tp+gPA1Tzz15KJ5g5p9yF4Ade3W1EX1plwKAks1Sv9/ Ishr70uKwFSV6mSx3ZlW6USwA1K2JB/cgRGqEAz3JO/ofrf50hF2+S+NZP6vLQstN+Xt qYdUvEqPrLAYZeZGDrdpXAHo+IqD5gFf1gTWQlD5X9s5+QYH8IqgTjKMWDi8jFNnrLft aThg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x64-20020a638643000000b0047947d45f59si2068087pgd.651.2022.12.11.17.41.33; Sun, 11 Dec 2022 17:41:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231134AbiLLBhV convert rfc822-to-8bit (ORCPT + 66 others); Sun, 11 Dec 2022 20:37:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229475AbiLLBhU (ORCPT ); Sun, 11 Dec 2022 20:37:20 -0500 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC409B1F8; Sun, 11 Dec 2022 17:37:18 -0800 (PST) Authenticated-By: X-SpamFilter-By: ArmorX SpamTrap 5.77 with qID 2BC1YSTx8023772, This message is accepted by code: ctloc85258 Received: from mail.realtek.com (rtexh36506.realtek.com.tw[172.21.6.27]) by rtits2.realtek.com.tw (8.15.2/2.81/5.90) with ESMTPS id 2BC1YSTx8023772 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=FAIL); Mon, 12 Dec 2022 09:34:28 +0800 Received: from RTEXDAG02.realtek.com.tw (172.21.6.101) by RTEXH36506.realtek.com.tw (172.21.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9; Mon, 12 Dec 2022 09:35:16 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXDAG02.realtek.com.tw (172.21.6.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 12 Dec 2022 09:35:16 +0800 Received: from RTEXMBS04.realtek.com.tw ([fe80::15b5:fc4b:72f3:424b]) by RTEXMBS04.realtek.com.tw ([fe80::15b5:fc4b:72f3:424b%5]) with mapi id 15.01.2375.007; Mon, 12 Dec 2022 09:35:16 +0800 From: Ping-Ke Shih To: Li Zetao CC: "Larry.Finger@lwfinger.net" , "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "kvalo@kernel.org" , "linux-kernel@vger.kernel.org" , "linux-wireless@vger.kernel.org" , "linville@tuxdriver.com" , "netdev@vger.kernel.org" , "pabeni@redhat.com" Subject: RE: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() Thread-Topic: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() Thread-Index: AQHZDcmQLIWDqWxK5UWgWwHLimkfx65pd+Xg Date: Mon, 12 Dec 2022 01:35:16 +0000 Message-ID: References: <66c119cc4e184a36d525a07f2fbd092348839610.camel@realtek.com> <20221212023540.1540147-1-lizetao1@huawei.com> In-Reply-To: <20221212023540.1540147-1-lizetao1@huawei.com> Accept-Language: en-US, zh-TW Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.21.69.188] x-kse-serverinfo: RTEXDAG02.realtek.com.tw, 9 x-kse-attachmentfiltering-interceptor-info: no applicable attachment filtering rules found x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: =?us-ascii?Q?Clean,_bases:_2022/12/11_=3F=3F_10:00:00?= x-kse-bulkmessagesfiltering-scan-result: protection disabled Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org > -----Original Message----- > From: Li Zetao > Sent: Monday, December 12, 2022 10:36 AM > To: Ping-Ke Shih > Cc: Larry.Finger@lwfinger.net; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; > kvalo@kernel.org; linux-kernel@vger.kernel.org; linux-wireless@vger.kernel.org; linville@tuxdriver.com; > lizetao1@huawei.com; netdev@vger.kernel.org; pabeni@redhat.com > Subject: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() > > There is a global-out-of-bounds reported by KASAN: > > BUG: KASAN: global-out-of-bounds in > _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] > Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 > > CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D > 6.1.0-rc8+ #144 e15588508517267d37 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > Call Trace: > > ... > kasan_report+0xbb/0x1c0 > _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] > rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] > rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] > ... > > > The root cause of the problem is that the comparison order of > "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The > _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two > strings from tail to head, which causes the problem. In the > _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet > this requirement by carefully designing the comparison order. > For example, "pregulation" and "pbandwidth" are compared in order of > length from small to large, first is 3 and last is 4. However, the > comparison order of "prate_section" dose not obey such order requirement, > therefore when "prate_section" is "HT", when comparing from tail to head, > it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As > mentioned above, the _rtl8812ae_eq_n_byte() has the same function as > strcmp(), so just strcmp() is enough. > > Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. > Although it can be fixed by adjusting the comparison order of > "prate_section", this may cause the value of "rate_section" to not be > from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver > from staging to regular tree, but also added setting txpower limit > function during the driver config phase, so the problem was introduced > by this commit. > > Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") > Signed-off-by: Li Zetao Thanks for your fix. Acked-by: Ping-Ke Shih > --- > v1 -> v2: delete the third parameter of _rtl8812ae_eq_n_byte() and use > strcmp to replace loop comparison. > v2 -> v3: remove _rtl8812ae_eq_n_byte() and use strcmp() barely. > > .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 52 +++++++------------ > 1 file changed, 20 insertions(+), 32 deletions(-) > [...]