From patchwork Wed Jul 1 15:07:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?SsOpcsO0bWUgUG91aWxsZXI=?= X-Patchwork-Id: 1320608 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=silabs.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=silabs.onmicrosoft.com header.i=@silabs.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-silabs-onmicrosoft-com header.b=SRa5UyIK; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49xl3q0xYDz9sTb for ; Thu, 2 Jul 2020 01:08:39 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731888AbgGAPIg (ORCPT ); Wed, 1 Jul 2020 11:08:36 -0400 Received: from mail-bn8nam12on2056.outbound.protection.outlook.com ([40.107.237.56]:52640 "EHLO NAM12-BN8-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731811AbgGAPIX (ORCPT ); Wed, 1 Jul 2020 11:08:23 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lbHVrVOIsbuB/SHLRIj5oAmgWj7ogtM0gsr6NIoRDhlr1WgPMOJ2BwevMjBYgmhzGQBEbv42FWeGUgagOpqsl1R0rMEgbOZurDafMNS5Bb8tzmmFhI/ld8Gp49Sb0BZig1t2UzymGzbnH1r/gGahLuHg3lIMq8xXj75IPorNdEU6SecMmTZP7Ja9ZxD21leLTw3IsHVpEBkLbHebN/Plvv2xqfp2PGB6b6HtN5U/UQc7QNZvcsCadtQZn2MelnkcT7L7D+jL42iRkYBPnoXhkf7jC0//7f9rgMpBrbptntZLd73q+nBEkg59kl+YnejqZ6UpX8xjThgByyxXlXzQhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k0WYfDeM/2vOHp34XrR8eW4auaR/xAu4eeyVN3zjOvA=; b=GozECPuVJ/UFREoZAGBXZ7SNSUHUB+a1AhfPqKoWG+gBZjVa720ZMZaC2O8nbEWpoUQiDwsggaiii995Vo1QA+ildZaA/OF+5Ojz+Gdb+sMkLkF2y5sJNlYp6vIIGC3hBomlOOBJx6zYZKJvV3425Eyp2zWxEH+Z/aJD1q6vHanC672fTyUh/awynBlSxIgji63aKxy+9C24fynCV4zFgWGRRPjc1iYHNw0jsjnzq3jTkwKTFGwTZivf6Cnj66wPOsex+q8MwYjiz+Eq1ctBMR+fWpWusglex0nPdAWNoFas86NcNZ2BaCZLE8p5ceMJnUjc7iZWLFAat9lqYofdtg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=silabs.com; dmarc=pass action=none header.from=silabs.com; dkim=pass header.d=silabs.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=silabs.onmicrosoft.com; s=selector2-silabs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k0WYfDeM/2vOHp34XrR8eW4auaR/xAu4eeyVN3zjOvA=; b=SRa5UyIKyAoXsubsL90j/wdNwtxPecSs/f4ylUvv2h9+wBrcei+EY14bq2vrYWQn8fcNIICrset0vQGBNWEiy0SerKfes4Lt14lVscz836wp17u6YykTo+pCeHL3y4I6KUoNsrxZUEJeRtNFynC7rBco5XcDL9PVRdGegH4rBiQ= Authentication-Results: driverdev.osuosl.org; dkim=none (message not signed) header.d=none;driverdev.osuosl.org; dmarc=none action=none header.from=silabs.com; Received: from SN6PR11MB2718.namprd11.prod.outlook.com (2603:10b6:805:63::18) by SA0PR11MB4736.namprd11.prod.outlook.com (2603:10b6:806:9f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.22; Wed, 1 Jul 2020 15:08:12 +0000 Received: from SN6PR11MB2718.namprd11.prod.outlook.com ([fe80::c504:2d66:a8f7:2336]) by SN6PR11MB2718.namprd11.prod.outlook.com ([fe80::c504:2d66:a8f7:2336%7]) with mapi id 15.20.3131.033; Wed, 1 Jul 2020 15:08:12 +0000 From: Jerome Pouiller To: devel@driverdev.osuosl.org, linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Kalle Valo , "David S . Miller" , =?utf-8?b?SsOpcsO0bWUgUG91aWxsZXI=?= Subject: [PATCH 06/13] staging: wfx: improve protection against malformed HIF messages Date: Wed, 1 Jul 2020 17:07:00 +0200 Message-Id: <20200701150707.222985-7-Jerome.Pouiller@silabs.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200701150707.222985-1-Jerome.Pouiller@silabs.com> References: <20200701150707.222985-1-Jerome.Pouiller@silabs.com> X-ClientProxiedBy: DM5PR07CA0143.namprd07.prod.outlook.com (2603:10b6:3:13e::33) To SN6PR11MB2718.namprd11.prod.outlook.com (2603:10b6:805:63::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from pc-42.silabs.com (2a01:e35:2435:66a0:544b:f17b:7ae8:fb7) by DM5PR07CA0143.namprd07.prod.outlook.com (2603:10b6:3:13e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.21 via Frontend Transport; Wed, 1 Jul 2020 15:08:11 +0000 X-Mailer: git-send-email 2.27.0 X-Originating-IP: [2a01:e35:2435:66a0:544b:f17b:7ae8:fb7] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c11d379e-9ead-40ea-b9e9-08d81dd092b0 X-MS-TrafficTypeDiagnostic: SA0PR11MB4736: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-Forefront-PRVS: 04519BA941 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5QYgg2RoPGPR1x18EAFYbwOmnMpkLwy/aHnPl3r647fjOPUPib096624pKai78YCpnzDg0iwhO6WArdy9XOp2PdSJmymFWWJEVOU1oOxZqdlK+Nae6l2wQHwu32oAAGVr1Zco7z+N5k8YQlL0vymuhGIZvy91B//nwVrvXJe1M9BjA52DPLgh2M9qHjSTp2/cgR3BYlRRxKT/qTsA1qvOHKODpcwt/kshTZTEfep34UKPaY1W3Yws7FZbKV1y8l02PhcQ4R3R6PjXBX19CcdOHyptVBmHOtcKP9Jeb+1Nn1ZXm5b55RiIRWSMuIYGo+LAN+l4rfgZQuFHJOOG2HBd0VEwaP68mRWHv0DS/ntcX4gOvkK9R+VVAiaASHBzYcgnhcgepx6apa2qJX8AqVxK/dXV89dZ8Khv6ZEjoWY0DtrK/+mWqVSn3lf5NmCELzqhf4/8K7ReYPQ/FkPj7NKAw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR11MB2718.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(39850400004)(366004)(346002)(376002)(396003)(136003)(5660300002)(6486002)(15650500001)(86362001)(6666004)(66574015)(36756003)(2906002)(43170500006)(186003)(83380400001)(16526019)(8936002)(66556008)(66476007)(107886003)(4326008)(8676002)(2616005)(1076003)(478600001)(316002)(966005)(54906003)(66946007)(52116002)(7696005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: Dv9ro+k0oyQoP1fWqd9tkzoOoT0I0/iTPZb6/CmrSRuYH2KPCm2cwPzugnzLPAfAh3IVdaXHI+PZQJzzevolb4DxXjOqUTNxemqaTnnY8SE48QlU6+No8bI0dBWijqEKyruA8RhjjmRykgMdF69UcdXxaLYuKHSXx59qhPScPgt0qNNuBozNQiGtivLBG+3DV5weW6ezogu0lQp38AxUhC6yEgd1P5HVbN4cFjbt0PcaMi3ELUvFhn8us/7oN2XAyB4PwOQvErlLQzsw5TFJZc/OOC+dsSC5f2Y8udaOdX7qr5HEqBe8Apy/gU+oy2sZLOf/4EuUIQ14H8eFvR93j9n8RIFPDROqR+Y0Eue7PjSf8MH5elTk7rR+Nc6BpPnvuIDhL+/phemVh4pfzgkmbkg5Iv3mXJV/pbpPPIhTAjVQSuiPuy1khhbheEurrqLd6WuKCfELIuUNFsWnlzJbHrvW2g1dPypTbHOBW6sB44SE0Vebj9O7SG06Ibfh88WLcgQeDvY1RAw+6G5T9D9ijzbCok8x24/DnpW245K4zAY= X-OriginatorOrg: silabs.com X-MS-Exchange-CrossTenant-Network-Message-Id: c11d379e-9ead-40ea-b9e9-08d81dd092b0 X-MS-Exchange-CrossTenant-AuthSource: SN6PR11MB2718.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jul 2020 15:08:12.7102 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 54dbd822-5231-4b20-944d-6f4abcd541fb X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eYoMifO+MuLMW11K5+kskinhYhX4aOwuVwTbCjqZlQLh9lGHp85liDDI9dVhxGVrBl8pbNtAAZR1pGbBstWJJA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4736 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Jérôme Pouiller As discussed here[1], if a message was smaller than the size of the message header, it could be incorrectly processed. [1] https://lore.kernel.org/driverdev-devel/2302785.6C7ODC2LYm@pc-42/ Signed-off-by: Jérôme Pouiller --- drivers/staging/wfx/bh.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/drivers/staging/wfx/bh.c b/drivers/staging/wfx/bh.c index 1cbaf8bb4fa38..53ae0b5abcdd8 100644 --- a/drivers/staging/wfx/bh.c +++ b/drivers/staging/wfx/bh.c @@ -57,7 +57,6 @@ static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf) int release_count; int piggyback = 0; - WARN(read_len < 4, "corrupted read"); WARN(read_len > round_down(0xFFF, 2) * sizeof(u16), "%s: request exceed WFx capability", __func__); @@ -76,7 +75,27 @@ static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf) hif = (struct hif_msg *)skb->data; WARN(hif->encrypted & 0x1, "unsupported encryption type"); if (hif->encrypted == 0x2) { - if (wfx_sl_decode(wdev, (void *)hif)) { + if (WARN(read_len < sizeof(struct hif_sl_msg), "corrupted read")) + goto err; + computed_len = le16_to_cpu(((struct hif_sl_msg *)hif)->len); + computed_len = round_up(computed_len - sizeof(u16), 16); + computed_len += sizeof(struct hif_sl_msg); + computed_len += sizeof(struct hif_sl_tag); + } else { + if (WARN(read_len < sizeof(struct hif_msg), "corrupted read")) + goto err; + computed_len = le16_to_cpu(hif->len); + computed_len = round_up(computed_len, 2); + } + if (computed_len != read_len) { + dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n", + computed_len, read_len); + print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1, + hif, read_len, true); + goto err; + } + if (hif->encrypted == 0x2) { + if (wfx_sl_decode(wdev, (struct hif_sl_msg *)hif)) { dev_kfree_skb(skb); // If frame was a confirmation, expect trouble in next // exchange. However, it is harmless to fail to decode @@ -84,19 +103,6 @@ static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf) // piggyback is probably correct. return piggyback; } - computed_len = - round_up(le16_to_cpu(hif->len) - sizeof(hif->len), 16) + - sizeof(struct hif_sl_msg) + - sizeof(struct hif_sl_tag); - } else { - computed_len = round_up(le16_to_cpu(hif->len), 2); - } - if (computed_len != read_len) { - dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n", - computed_len, read_len); - print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1, - hif, read_len, true); - goto err; } if (!(hif->id & HIF_ID_IS_INDICATION)) {