Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp2535741rwb; Sun, 6 Aug 2023 21:47:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHLESPim6pWlTGUrS6agNanxS2lFGcZh6CZsb1SlCNdHUdRWnEPT34DyC3gpRmlzjau1wrb X-Received: by 2002:a17:902:e882:b0:1b0:f8:9b2d with SMTP id w2-20020a170902e88200b001b000f89b2dmr9131977plg.29.1691383662038; Sun, 06 Aug 2023 21:47:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691383662; cv=none; d=google.com; s=arc-20160816; b=VTaXShxFH03osYT5OJ6P1ZNAou0p3w9mt+urVXTV40EcrHCSWFnaykCW1F7Zv6EbHh hNUvvt4AxlMEjMAAd4uJwwTU9/8WIDlhoeu8k6qVNYu1CzS5TdAUO4hDRMY+mhHU9LEy APDQs3pk3moV5H7pC3Bzex6absGW/mOsOivM7jLbd18CexAsyAraHgVaNRaWXvHI7NU0 ZdsBzvA9MKrrqQoVhTz7QQFKb6PPru2K72u4JLROeBARrb320+Z1CKTNloOL8xzKWoFm V0pYKp9lk5UMKPAv/CyoTDplRZ19TRovbldm+WzKnt06kPl5QOD8j3gAPMIA9FeuxIqi txcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=YrYFgvkBLSeBEQHH1nAzsoORCIvZUhbD43Y/ndAJI74=; fh=239N9TPK33Qn7ha+Q0sQ3fNhJmIROSC7xWfxOgJDZ+k=; b=PtTi046rHWlN3IxlT8Ny2b0/IYXk5Xk13SpNCu/GVHMH4/VZeb5//qZhIV31mUbQb3 WI5rQd58aYijjDLPHgsukr4HkSx8GVahNlMgVRYS9YTpG6VSQBZxEC7roeJgqcN4IqgR 5qEeU8BjWa9VeMbDuzt2laHI9KxONgrsTtLhH7onUoo13O4a5k+I+HHZRRqTIFKYpgL2 MH3qfTMSOtnqN71RxU49q5BQ08GpKTSBFQ00L20PUe9zrLCYYFf4mQM383tosr9ykC5F drSODQjaRsxdAdWnkFlqq6yWuXIsaWcIL2GvuaLnf7VjYar+qzxDM1YIVtT9OoRIeBJd kMoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=eJLpJxFO; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c13-20020a170902c1cd00b001b3d27ca12fsi5011485plc.207.2023.08.06.21.47.30; Sun, 06 Aug 2023 21:47:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=eJLpJxFO; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229854AbjHGDJH (ORCPT + 56 others); Sun, 6 Aug 2023 23:09:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229737AbjHGDIw (ORCPT ); Sun, 6 Aug 2023 23:08:52 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2629110F4 for ; Sun, 6 Aug 2023 20:08:51 -0700 (PDT) Received: from pps.filterd (m0279865.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3772oQsp024981; Mon, 7 Aug 2023 03:08:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=YrYFgvkBLSeBEQHH1nAzsoORCIvZUhbD43Y/ndAJI74=; b=eJLpJxFONODbb5w+OBUoryLUgdLg1EpG1JBPGAPCz6MIXPF3d6BZpSmFS2uJFdYz34aY gkFADKhV2jzCKdJiKzhyHaTJkL3OEg7Q8kRxD+GpJtKenbjWpeC+xEjlx7igQ4++Tz6o 5lsvuV/whOaieYryhQJ2lE6pPWnPuisqNcREfMhs5gnh5zDVkVwnpoIrWiw6zRCNxR7f zEIMpu9CL7pda/giMBaGPrvE4nhhzd4xpxCh8+U9LPRwiqgj4eNOXXdNum9lTO3liHfb mjjHj8zTP7Wi/qbLB27Bp2cqUtlel9WaX075vLLSN+nY49ZDL/lw2tlVw4fuAl6fGHzp Ew== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s9dcyag2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 07 Aug 2023 03:08:47 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 37738kr1014531 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 7 Aug 2023 03:08:46 GMT Received: from wgong-HP3-Z230-SFF-Workstation.qca.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Sun, 6 Aug 2023 20:08:45 -0700 From: Wen Gong To: CC: , Subject: [PATCH] wifi: ath12k: Fix buffer overflow when scanning with extraie Date: Sun, 6 Aug 2023 23:08:06 -0400 Message-ID: <20230807030806.9345-1-quic_wgong@quicinc.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: 2c99uWsyBD43cewsZq2_2keHi_8M6T7Y X-Proofpoint-GUID: 2c99uWsyBD43cewsZq2_2keHi_8M6T7Y X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-06_24,2023-08-03_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 mlxscore=0 bulkscore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308070027 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org If cfg80211 is providing extraie's for a scanning process then ath12k will copy that over to the firmware. The extraie.len is a 32 bit value in struct element_info and describes the amount of bytes for the vendor information elements. The WMI_TLV packet is having a special WMI_TAG_ARRAY_BYTE section. This section can have a (payload) length up to 65535 bytes because the WMI_TLV_LEN can store up to 16 bits. The code was missing such a check and could have created a scan request which cannot be parsed correctly by the firmware. But the bigger problem was the allocation of the buffer. It has to align the TLV sections by 4 bytes. But the code was using an u8 to store the newly calculated length of this section (with alignment). And the new calculated length was then used to allocate the skbuff. But the actual code to copy in the data is using the extraie.len and not the calculated "aligned" length. The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled was 264 bytes during tests with a wifi card. But it only allocated 8 bytes (264 bytes % 256) for it. As consequence, the code to memcpy the extraie into the skb was then just overwriting data after skb->end. Things like shinfo were therefore corrupted. This could usually be seen by a crash in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus address). Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 Signed-off-by: Wen Gong --- drivers/net/wireless/ath/ath12k/wmi.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index 6512267ae4ca..0acd58aed79d 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -2145,7 +2145,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, void *ptr; int i, ret, len; u32 *tmp_ptr; - u8 extraie_len_with_pad = 0; + u32 extraie_len_with_pad = 0; struct ath12k_wmi_hint_short_ssid_arg *s_ssid = NULL; struct ath12k_wmi_hint_bssid_arg *hint_bssid = NULL; @@ -2163,12 +2163,6 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, if (arg->num_bssid) len += sizeof(*bssid) * arg->num_bssid; - len += TLV_HDR_SIZE; - if (arg->extraie.len) - extraie_len_with_pad = - roundup(arg->extraie.len, sizeof(u32)); - len += extraie_len_with_pad; - if (arg->num_hint_bssid) len += TLV_HDR_SIZE + arg->num_hint_bssid * sizeof(*hint_bssid); @@ -2177,6 +2171,18 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, len += TLV_HDR_SIZE + arg->num_hint_s_ssid * sizeof(*s_ssid); + len += TLV_HDR_SIZE; + if (arg->extraie.len) + extraie_len_with_pad = + roundup(arg->extraie.len, sizeof(u32)); + if (extraie_len_with_pad <= (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len)) { + len += extraie_len_with_pad; + } else { + ath12k_warn(ar->ab, "discard large size %d bytes extraie for scan start\n", + arg->extraie.len); + extraie_len_with_pad = 0; + } + skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len); if (!skb) return -ENOMEM; @@ -2266,7 +2272,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, tlv->header = ath12k_wmi_tlv_hdr(WMI_TAG_ARRAY_BYTE, len); ptr += TLV_HDR_SIZE; - if (arg->extraie.len) + if (extraie_len_with_pad) memcpy(ptr, arg->extraie.ptr, arg->extraie.len); base-commit: b21fe5be53eb873c02e7479372726c8aeed171e3 -- 2.40.1