Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6031565rwb; Sun, 11 Dec 2022 17:42:29 -0800 (PST) X-Google-Smtp-Source: AA0mqf7EKobot4cnwevfrNMYIjm42T7tfqWMhMYDc0tjnvp+UNPNvJcM5GsSjKGM8wnMlUL1AuF/ X-Received: by 2002:a05:6a00:f8c:b0:578:202d:7c21 with SMTP id ct12-20020a056a000f8c00b00578202d7c21mr7967177pfb.12.1670809349285; Sun, 11 Dec 2022 17:42:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670809349; cv=none; d=google.com; s=arc-20160816; b=ELyoVMr9Cl3iH97NZKPGl7RJLYAErrSoh/dl2wkbxV/r16C+p90yBVQsHhHsb0UVnq DbCa3KbhZeeby3sWtrpdDcwFfSqsUsGobzulvkp+7Ec09O11XYViSvGNeUlf92Gi7a3W ZSMfDie2/qWXtjvQgUXuOxJnN37FFT+qBQ1MxmxEu2YvWGrWxR9w7It58ljydi86woBR tOF6wRTqVd4df2ub+h3Wne3em8P8dagXb/tPbhjxfm3P4COi2OkeWkXs3/aP4OiWf9GB EQu/+TUqEKtf2bI/+fLCWtQIrsruOiaHKSeN4v5NGyrrt8ZkRKg6/V+B/JYcKJxxox1c Dspw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:authenticated-by; bh=UFHPo63Bd4y7g7VW2tQ1y8YrDqhlxeArTn+9G3vrQ0o=; b=e/DvHS3e8mN17qqqChXRFWrn8kNplwcghrH+/Mk8EEbd0+oaWbU6Cs1fBK7aQNmVhK wa/kT5mR0NT0dh0LLXCDUkTkTjL0e8fRX8CxImlVaumfDjr7JsytNv0W5Lnbbvv2bENO oghB1CuzZR2xJdcqDhZHnSNw5qeQRlcUpQLyC/S0U2aM5a0R6b6B5RcCBQTwCAwtx8+g 6I/FGAicabcruwolcXzlc4s2FkIkPbTDQyskCTzyCcUwQJkHb5c5wIyWZOWSxZl2iA9s dEW68GWbgoJiBMPlkwAcReeRmdhO+MeDx6n3H0TpknHF+vGRxCrQ/O0vdF+JwOmXIDok 4mkw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q2-20020a056a00084200b00576505a484csi8519831pfk.336.2022.12.11.17.42.20; Sun, 11 Dec 2022 17:42:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230471AbiLLBj2 convert rfc822-to-8bit (ORCPT + 66 others); Sun, 11 Dec 2022 20:39:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229475AbiLLBj1 (ORCPT ); Sun, 11 Dec 2022 20:39:27 -0500 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0B5A4B1EF; Sun, 11 Dec 2022 17:39:25 -0800 (PST) Authenticated-By: X-SpamFilter-By: ArmorX SpamTrap 5.77 with qID 2BC1akreF025606, This message is accepted by code: ctloc85258 Received: from mail.realtek.com (rtexh36506.realtek.com.tw[172.21.6.27]) by rtits2.realtek.com.tw (8.15.2/2.81/5.90) with ESMTPS id 2BC1akreF025606 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=FAIL); Mon, 12 Dec 2022 09:36:46 +0800 Received: from RTEXMBS02.realtek.com.tw (172.21.6.95) by RTEXH36506.realtek.com.tw (172.21.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9; Mon, 12 Dec 2022 09:37:34 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXMBS02.realtek.com.tw (172.21.6.95) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 12 Dec 2022 09:37:34 +0800 Received: from RTEXMBS04.realtek.com.tw ([fe80::15b5:fc4b:72f3:424b]) by RTEXMBS04.realtek.com.tw ([fe80::15b5:fc4b:72f3:424b%5]) with mapi id 15.01.2375.007; Mon, 12 Dec 2022 09:37:34 +0800 From: Ping-Ke Shih To: Li Zetao CC: "Larry.Finger@lwfinger.net" , "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "kvalo@kernel.org" , "linux-kernel@vger.kernel.org" , "linux-wireless@vger.kernel.org" , "linville@tuxdriver.com" , "netdev@vger.kernel.org" , "pabeni@redhat.com" Subject: RE: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() Thread-Topic: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() Thread-Index: AQHZDcmQLIWDqWxK5UWgWwHLimkfx65pd+XggAAAmuA= Date: Mon, 12 Dec 2022 01:37:34 +0000 Message-ID: <58dbf9a4aa57417bb40cbabc8ae9cd17@realtek.com> References: <66c119cc4e184a36d525a07f2fbd092348839610.camel@realtek.com> <20221212023540.1540147-1-lizetao1@huawei.com> Accept-Language: en-US, zh-TW Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.21.69.188] x-kse-serverinfo: RTEXMBS02.realtek.com.tw, 9 x-kse-attachmentfiltering-interceptor-info: no applicable attachment filtering rules found x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: =?us-ascii?Q?Clean,_bases:_2022/12/11_=3F=3F_10:00:00?= x-kse-bulkmessagesfiltering-scan-result: protection disabled Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org > -----Original Message----- > From: Ping-Ke Shih > Sent: Monday, December 12, 2022 9:35 AM > To: 'Li Zetao' > Cc: Larry.Finger@lwfinger.net; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; > kvalo@kernel.org; linux-kernel@vger.kernel.org; linux-wireless@vger.kernel.org; linville@tuxdriver.com; > netdev@vger.kernel.org; pabeni@redhat.com > Subject: RE: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in > _rtl8812ae_phy_set_txpower_limit() > > > > > -----Original Message----- > > From: Li Zetao > > Sent: Monday, December 12, 2022 10:36 AM > > To: Ping-Ke Shih > > Cc: Larry.Finger@lwfinger.net; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; > > kvalo@kernel.org; linux-kernel@vger.kernel.org; linux-wireless@vger.kernel.org; > linville@tuxdriver.com; > > lizetao1@huawei.com; netdev@vger.kernel.org; pabeni@redhat.com > > Subject: [PATCH v3] rtlwifi: rtl8821ae: Fix global-out-of-bounds bug in > _rtl8812ae_phy_set_txpower_limit() Oops. Subject prefix should be "wifi: rtlwifi: ...". If it isn't hard to you, please fix it, and add my acked-by along with v4. > > > > There is a global-out-of-bounds reported by KASAN: > > > > BUG: KASAN: global-out-of-bounds in > > _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] > > Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 > > > > CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D > > 6.1.0-rc8+ #144 e15588508517267d37 > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > > Call Trace: > > > > ... > > kasan_report+0xbb/0x1c0 > > _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] > > rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] > > rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] > > ... > > > > > > The root cause of the problem is that the comparison order of > > "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The > > _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two > > strings from tail to head, which causes the problem. In the > > _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet > > this requirement by carefully designing the comparison order. > > For example, "pregulation" and "pbandwidth" are compared in order of > > length from small to large, first is 3 and last is 4. However, the > > comparison order of "prate_section" dose not obey such order requirement, > > therefore when "prate_section" is "HT", when comparing from tail to head, > > it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As > > mentioned above, the _rtl8812ae_eq_n_byte() has the same function as > > strcmp(), so just strcmp() is enough. > > > > Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. > > Although it can be fixed by adjusting the comparison order of > > "prate_section", this may cause the value of "rate_section" to not be > > from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver > > from staging to regular tree, but also added setting txpower limit > > function during the driver config phase, so the problem was introduced > > by this commit. > > > > Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") > > Signed-off-by: Li Zetao > > Thanks for your fix. > > Acked-by: Ping-Ke Shih > > > --- > > v1 -> v2: delete the third parameter of _rtl8812ae_eq_n_byte() and use > > strcmp to replace loop comparison. > > v2 -> v3: remove _rtl8812ae_eq_n_byte() and use strcmp() barely. > > > > .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 52 +++++++------------ > > 1 file changed, 20 insertions(+), 32 deletions(-) > > > > [...]