From patchwork Tue Jan  3 08:38:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= <zajec5@gmail.com>
X-Patchwork-Id: 9494627
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	476F060413 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Jan 2017 08:39:44 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3ED681FE7A
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Jan 2017 08:39:44 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 313C3266F3; Tue,  3 Jan 2017 08:39:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 96F6B1FE7A
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Jan 2017 08:39:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934257AbdACIjm (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 3 Jan 2017 03:39:42 -0500
Received: from mail-lf0-f65.google.com ([209.85.215.65]:33220 "EHLO
	mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932930AbdACIjl (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 3 Jan 2017 03:39:41 -0500
Received: by mail-lf0-f65.google.com with SMTP id y21so41851923lfa.0
	for <linux-wireless@vger.kernel.org>;
	Tue, 03 Jan 2017 00:39:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=dUGW5epMnccq2bQ5yYaWtsbWTbfLvGb5pZvZDABPnOU=;
	b=jxVkELwAPo6G+5EYjQY1JFe+LroUZGjmpAv/cwTuGVnFNE/iG3cpCHEJg54ytMZXpy
	a3eqc0ux2+goEEU54yYRC4I2uXs16+Oz0h0Gmt14lBI82FWZlL785zDTeH1EkVJ7wsZP
	L13DWw26gDLIMLOtPfQy+qL4rMALWRSrCRm07E8DQgYSv6/PInO/we1PiET8yp+Xm4Fj
	3TkUbCulkeGVxu5Ur2PXgsyt6Ru4jdewsrQtPw8KERuS2SvuaogEa7HIr7vqety8X/9c
	svKCE+oYMZ12E5rWTGSPUEfLw86f0qLsyXIUQCQROJnLaQPFhN6oJnuegthatdm6MwNC
	AsIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=dUGW5epMnccq2bQ5yYaWtsbWTbfLvGb5pZvZDABPnOU=;
	b=mzuc5Ig6XVLsLR/WpGmxyCZ2L5ru1wNVBiYk8OlbzupnFYaj3paN7HvISYgQArZ4NU
	+60RvfulVt/y1mBbudXhKdcA+iiFvqZk325pEwEUVQHRWyLP+rJxcm2pC3MIsIhqwLme
	A5ecEMOmpqHsOesyfugkoFYeyFQSBaUDfuD3yadCnugD2qFOrfk94bU14mVltSzzgWbv
	1BstBVtHMJPpPSxRmYa/xXJKyJP6Dchy8ijhwZoMejH672AFukPeeOjxcaUXjMwmyuYE
	6bMxwRlX07OydpHr3QXdJsN9fzyCrwxeRb4PfGXxZ+tnydxWobJ0nS7Qy9TSFau6u8J4
	57rA==
X-Gm-Message-State: 
 AIkVDXJ2Liqm0V2ooSqMo6OAL/m4yslzLek3h1f+bvMdugt72CL+WHuLBW6pCODeQbr6aA==
X-Received: by 10.25.221.130 with SMTP id w2mr17993847lfi.141.1483432779146;
	Tue, 03 Jan 2017 00:39:39 -0800 (PST)
Received: from linux-samsung.lan
	(ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233])
	by smtp.gmail.com with ESMTPSA id
	h30sm16615413lji.28.2017.01.03.00.39.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 03 Jan 2017 00:39:38 -0800 (PST)
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: Arend van Spriel <arend.vanspriel@broadcom.com>,
	Franky Lin <franky.lin@broadcom.com>,
	Hante Meuleman <hante.meuleman@broadcom.com>,
	Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
	Franky Lin <frankyl@broadcom.com>, linux-wireless@vger.kernel.org,
	brcm80211-dev-list.pdl@broadcom.com,
	=?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Subject: [PATCH] brcmfmac: avoid writing channel out of allocated array
Date: Tue,  3 Jan 2017 09:38:58 +0100
Message-Id: <20170103083858.6981-1-zajec5@gmail.com>
X-Mailer: git-send-email 2.10.1
MIME-Version: 1.0
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Rafał Miłecki <rafal@milecki.pl>

Our code was assigning number of channels to the index variable by
default. If firmware reported channel we didn't predict this would
result in using that initial index value and writing out of array.

Fix this by detecting unexpected channel and ignoring it.

Fixes: 58de92d2f95e ("brcmfmac: use static superset of channels for wiphy bands")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
I'm not sure what kind of material it is. It fixes possible memory corruption
(serious thing?) but this bug was there since Apr 2015, so is it worth fixing
in 4.10? Or maybe I should even cc stable?
I don't think any released firmware reports any unexpected channel, so I guess
noone ever hit this problem. I just noticed this possible problem when working
on another feature.
---
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         | 29 +++++++++++-----------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 13ca3eb..0babfc7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5825,7 +5825,6 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
 	u32 i, j;
 	u32 total;
 	u32 chaninfo;
-	u32 index;
 
 	pbuf = kzalloc(BRCMF_DCMD_MEDLEN, GFP_KERNEL);
 
@@ -5873,33 +5872,33 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
 		    ch.bw == BRCMU_CHAN_BW_80)
 			continue;
 
-		channel = band->channels;
-		index = band->n_channels;
+		channel = NULL;
 		for (j = 0; j < band->n_channels; j++) {
-			if (channel[j].hw_value == ch.control_ch_num) {
-				index = j;
+			if (band->channels[j].hw_value == ch.control_ch_num) {
+				channel = &band->channels[j];
 				break;
 			}
 		}
-		channel[index].center_freq =
-			ieee80211_channel_to_frequency(ch.control_ch_num,
-						       band->band);
-		channel[index].hw_value = ch.control_ch_num;
+		if (!channel) {
+			brcmf_err("Firmware reported unexpected channel %d\n",
+				  ch.control_ch_num);
+			continue;
+		}
 
 		/* assuming the chanspecs order is HT20,
 		 * HT40 upper, HT40 lower, and VHT80.
 		 */
 		if (ch.bw == BRCMU_CHAN_BW_80) {
-			channel[index].flags &= ~IEEE80211_CHAN_NO_80MHZ;
+			channel->flags &= ~IEEE80211_CHAN_NO_80MHZ;
 		} else if (ch.bw == BRCMU_CHAN_BW_40) {
-			brcmf_update_bw40_channel_flag(&channel[index], &ch);
+			brcmf_update_bw40_channel_flag(channel, &ch);
 		} else {
 			/* enable the channel and disable other bandwidths
 			 * for now as mentioned order assure they are enabled
 			 * for subsequent chanspecs.
 			 */
-			channel[index].flags = IEEE80211_CHAN_NO_HT40 |
-					       IEEE80211_CHAN_NO_80MHZ;
+			channel->flags = IEEE80211_CHAN_NO_HT40 |
+					 IEEE80211_CHAN_NO_80MHZ;
 			ch.bw = BRCMU_CHAN_BW_20;
 			cfg->d11inf.encchspec(&ch);
 			chaninfo = ch.chspec;
@@ -5907,11 +5906,11 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
 						       &chaninfo);
 			if (!err) {
 				if (chaninfo & WL_CHAN_RADAR)
-					channel[index].flags |=
+					channel->flags |=
 						(IEEE80211_CHAN_RADAR |
 						 IEEE80211_CHAN_NO_IR);
 				if (chaninfo & WL_CHAN_PASSIVE)
-					channel[index].flags |=
+					channel->flags |=
 						IEEE80211_CHAN_NO_IR;
 			}
 		}