| Message ID | 20241105101132.374372-1-karprzy7@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jeff Johnson |
| Headers | show |
| Series | [v3] wifi: ath12k: Fix for out-of bound access error | expand |
On 11/5/2024 2:11 AM, Karol Przybylski wrote: > Selfgen stats are placed in a buffer using print_array_to_buf_index() function. > Array length parameter passed to the function is too big, resulting in possible > out-of bound memory error. > Decreasing buffer size by one fixes faulty upper bound of passed array. > > Discovered in coverity scan, CID 1600742 and CID 1600758 > > Signed-off-by: Karol Przybylski <karprzy7@gmail.com> > --- > Changes in v3: > - Code style: added spaces before and after '-' > - Improved commit msg > - Fixed same error in different function > - Link to previous discussion: https://lore.kernel.org/all/08767ff7-f764-473d-a44b-c3c3b1695008@quicinc.com/ > --- > drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c > index 799b865b89e5..2d47aca681f4 100644 > --- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c > +++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c > @@ -1562,7 +1562,7 @@ ath12k_htt_print_tx_selfgen_ac_stats_tlv(const void *tag_buf, u16 tag_len, > le32_to_cpu(htt_stats_buf->ac_mu_mimo_ndp)); > len += print_array_to_buf_index(buf, len, "ac_mu_mimo_brpollX_tried = ", 1, > htt_stats_buf->ac_mu_mimo_brpoll, > - ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS, "\n\n"); > + ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS - 1, "\n\n"); Our ath12k-check tool reports: drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c:1565: line length of 92 exceeds 90 columns I'll fix this in the 'pending' branch > > stats_req->buf_len = len; > } > @@ -1590,7 +1590,7 @@ ath12k_htt_print_tx_selfgen_ax_stats_tlv(const void *tag_buf, u16 tag_len, > le32_to_cpu(htt_stats_buf->ax_mu_mimo_ndp)); > len += print_array_to_buf_index(buf, len, "ax_mu_mimo_brpollX_tried = ", 1, > htt_stats_buf->ax_mu_mimo_brpoll, > - ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS, "\n"); > + ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS - 1, "\n"); > len += scnprintf(buf + len, buf_len - len, "ax_basic_trigger = %u\n", > le32_to_cpu(htt_stats_buf->ax_basic_trigger)); > len += scnprintf(buf + len, buf_len - len, "ax_ulmumimo_total_trigger = %u\n",
Karol Przybylski <karprzy7@gmail.com> writes: > Selfgen stats are placed in a buffer using print_array_to_buf_index() function. > Array length parameter passed to the function is too big, resulting in possible > out-of bound memory error. > Decreasing buffer size by one fixes faulty upper bound of passed array. > > Discovered in coverity scan, CID 1600742 and CID 1600758 > > Signed-off-by: Karol Przybylski <karprzy7@gmail.com> I assume you only compile tested this, it's always good to mention that in the commit message. But no need resend because of this. Acked-by: Kalle Valo <kvalo@kernel.org>
On Tue, 05 Nov 2024 11:11:31 +0100, Karol Przybylski wrote: > Selfgen stats are placed in a buffer using print_array_to_buf_index() function. > Array length parameter passed to the function is too big, resulting in possible > out-of bound memory error. > Decreasing buffer size by one fixes faulty upper bound of passed array. > > Discovered in coverity scan, CID 1600742 and CID 1600758 > > [...] Applied, thanks! [1/1] wifi: ath12k: Fix for out-of bound access error commit: eb8c0534713865d190856f10bfc97cf0b88475b1 Best regards,
diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c index 799b865b89e5..2d47aca681f4 100644 --- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c +++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c @@ -1562,7 +1562,7 @@ ath12k_htt_print_tx_selfgen_ac_stats_tlv(const void *tag_buf, u16 tag_len, le32_to_cpu(htt_stats_buf->ac_mu_mimo_ndp)); len += print_array_to_buf_index(buf, len, "ac_mu_mimo_brpollX_tried = ", 1, htt_stats_buf->ac_mu_mimo_brpoll, - ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS, "\n\n"); + ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS - 1, "\n\n"); stats_req->buf_len = len; } @@ -1590,7 +1590,7 @@ ath12k_htt_print_tx_selfgen_ax_stats_tlv(const void *tag_buf, u16 tag_len, le32_to_cpu(htt_stats_buf->ax_mu_mimo_ndp)); len += print_array_to_buf_index(buf, len, "ax_mu_mimo_brpollX_tried = ", 1, htt_stats_buf->ax_mu_mimo_brpoll, - ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS, "\n"); + ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS - 1, "\n"); len += scnprintf(buf + len, buf_len - len, "ax_basic_trigger = %u\n", le32_to_cpu(htt_stats_buf->ax_basic_trigger)); len += scnprintf(buf + len, buf_len - len, "ax_ulmumimo_total_trigger = %u\n",
Selfgen stats are placed in a buffer using print_array_to_buf_index() function. Array length parameter passed to the function is too big, resulting in possible out-of bound memory error. Decreasing buffer size by one fixes faulty upper bound of passed array. Discovered in coverity scan, CID 1600742 and CID 1600758 Signed-off-by: Karol Przybylski <karprzy7@gmail.com> --- Changes in v3: - Code style: added spaces before and after '-' - Improved commit msg - Fixed same error in different function - Link to previous discussion: https://lore.kernel.org/all/08767ff7-f764-473d-a44b-c3c3b1695008@quicinc.com/ --- drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)