Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5818590rdb; Wed, 13 Dec 2023 23:35:50 -0800 (PST) X-Google-Smtp-Source: AGHT+IESc6wbShqlgTicKyWdfAl7ogYKshyce78t2b52rQkq5bl5grEkEnLEH/pwcHoGggo/hahQ X-Received: by 2002:a05:6a00:a1f:b0:6ce:5fcb:5fa4 with SMTP id p31-20020a056a000a1f00b006ce5fcb5fa4mr11116000pfh.19.1702539349934; Wed, 13 Dec 2023 23:35:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702539349; cv=none; d=google.com; s=arc-20160816; b=vY8sCL4uAxidf2Buxu/SQ6U4Ds+qPZv/1GcMiVOVoRbyH/8t1aIXGA9gIOYv17mwpL AS3MOS7zXkIQmtQGPWfa/qL2a/SgyXw9hNSQYAANsbivygpn/s8qWOVwZ0T3AJ7javmS zx3cP8nI2Ufim3YMM2ff1eNnLQwtBFNh1ciGuiBffpu0j4aKM0qiyRB21NNxsr8LEXci uRdcOuZ1A8SL9c3E9vnoFtssOt/xd+AQ/nCFSpN03zknRmNL+6mAm9xMjW0b78W21A7Z 9LVMOEOTJSdYTOiw3qgYd+vVIthvfRNN5cgtlmdG2a+1p7ofNhtTzJp/VzAeKEfH8zLt uQOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=erYEFG+BTxcq0IaS7rGyL0zNsFGX/xO/zio9+tPZruU=; fh=AvKsCTdYU5qqKCwCn7fAYJXMesNegAPh8lgEUhaBxkQ=; b=cSTmt5xeWxKtn0NdqsKPHpjlgMkq0m5lTMjCjp7AoECX9NTu0lAPrVrZzgUyKYYGMS ambnLmWyH0TOpx5W9zidQdWUMBqitFL46ou6UH00kNBMrDomV+cEHugz/ddnNYZfhVeI 1Tt56D8y8+GjaNbui+eAAK2v0UFXaCumiivB3Y2JD2fCM5ACZF1DE/oez63hMVvMCUDP NL5hWnDPo0wlEKDQ4QlIAt/UD0VH6HfQwxx7TePOm+fVzsFVu6DyD+VP5eH7ANQo8zeG IkBhoXIBbv8bo+Qy7GGhv5ACqXycO3y51zhlE5iF87gkeLdIVJtAlzTjrFsXBUdqdl1t cPDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless+bounces-782-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-782-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id h18-20020a056a00231200b006cdfbccebc5si10758822pfh.316.2023.12.13.23.35.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 23:35:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-782-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless+bounces-782-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-782-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C9BDDB20C74 for ; Thu, 14 Dec 2023 07:35:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6F1D912E55; Thu, 14 Dec 2023 07:35:41 +0000 (UTC) X-Original-To: linux-wireless@vger.kernel.org Received: from mail11.truemail.it (mail11.truemail.it [217.194.8.81]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A116F95; Wed, 13 Dec 2023 23:35:36 -0800 (PST) Received: from francesco-nb.int.toradex.com (93-49-2-63.ip317.fastwebnet.it [93.49.2.63]) by mail11.truemail.it (Postfix) with ESMTPA id 4FD39206E7; Thu, 14 Dec 2023 08:35:31 +0100 (CET) Date: Thu, 14 Dec 2023 08:35:27 +0100 From: Francesco Dolcini To: David Lin Cc: Brian Norris , "linux-wireless@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "kvalo@kernel.org" , "francesco@dolcini.it" , Pete Hsieh , "stable@vger.kernel.org" Subject: Re: [EXT] Re: [PATCH v2] wifi: mwifiex: fix STA cannot connect to AP Message-ID: References: <20231208234127.2251-1-yu-hao.lin@nxp.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Hello David, On Thu, Dec 14, 2023 at 02:22:57AM +0000, David Lin wrote: > > From: Brian Norris ... > > Nitpick: "fix STA cannot connect to AP" isn't the best commit message; that > > could describe an enormous number of fixes. Maybe something more like > > "Configure BSSID consistently when starting AP"? > > Thanks for your suggestion. I will change commit message as you > suggested. Does it mean I should create another patch from v1? Just create `[PATCH v3] wifi: mwifiex: fix STA cannot connect to AP` Add the change suggested by Brian and the tags you received on this v2: - Reviewed-by: Francesco Dolcini - Tested-by: Rafael Beims # Verdin iMX8MP / SD8997 SD - Acked-by: Brian Norris > > Not directly related to this patch, but while you're expanding the size of this > > command buffer: it always felt like a security-hole-in-waiting that none of > > these command producers do any kinds of bounds checking. > > We're just "lucky" that these function only generate contents of ~100 bytes at > > max, while MWIFIEX_SIZE_OF_CMD_BUFFER=2048. But, just add a few more > > user-space controlled TLV params, and boom, we'll have ourselves a nice > > little CVE. > > > > It probably wouldn't hurt to significantly write much of this driver, but at a > > minimum, we could probably use a few checks like this: > > > > cmd_size += sizeof(struct host_cmd_tlv_mac_addr); > > if (cmd_size > MWIFIEX_SIZE_OF_CMD_BUFFER) > > return -1; > > // Only touch tlv *after* the bounds check. > > > > That doesn't need to block this patch, of course. > > > > Brian > > > > I will modify the code for next patch. I would suggest not modify this in this patch, we should fix all the code that is subjected to this potential issue. I would personally do a follow-up patch just to add the check to avoid overflowing the cmd buffer everywhere it is used. Francesco