ath9k: Fix read buffer overflow

Message ID	4A811464.4030108@gmail.com (mailing list archive)
State	Not Applicable, archived
Headers	show Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n7BDEZTp010190 for <patchwork-linux-wireless@patchwork.kernel.org>; Tue, 11 Aug 2009 13:14:35 GMT DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=lhXXj5cqjvl5YWAgTQuXOXlFujI0zpMahXClu95BmqRrl7sPGtOEx2My4zJhCqFYYX srXr2sWAZhZCgwX31WpvxkX0cBwbazsD4xWDbtSC6vyRhrT6iHCH/8muEJ5zpMio5W2b Qn8P46BY5bXqDLLxSfmNHaQWoGshosyuPNhk4= Message-ID: <4A811464.4030108@gmail.com> Date: Tue, 11 Aug 2009 08:49:08 +0200 From: Roel Kluin <roel.kluin@gmail.com> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: "John W. Linville" <linville@tuxdriver.com> CC: Jouni Malinen <jmalinen@atheros.com>, linux-wireless@vger.kernel.org, ath9k-devel@venema.h4ckr.net, Andrew Morton <akpm@linux-foundation.org> Subject: Re: [PATCH] ath9k: Fix read buffer overflow References: <4A7CA188.1070706@gmail.com> <20090810202622.GB6060@tuxdriver.com> In-Reply-To: <20090810202622.GB6060@tuxdriver.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

4A811464.4030108@gmail.com (mailing list archive)

State

Not Applicable, archived

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	b=lhXXj5cqjvl5YWAgTQuXOXlFujI0zpMahXClu95BmqRrl7sPGtOEx2My4zJhCqFYYX
	srXr2sWAZhZCgwX31WpvxkX0cBwbazsD4xWDbtSC6vyRhrT6iHCH/8muEJ5zpMio5W2b
	Qn8P46BY5bXqDLLxSfmNHaQWoGshosyuPNhk4=
Message-ID: <4A811464.4030108@gmail.com>
Date: Tue, 11 Aug 2009 08:49:08 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: "John W. Linville" <linville@tuxdriver.com>
CC: Jouni Malinen <jmalinen@atheros.com>, linux-wireless@vger.kernel.org,
	ath9k-devel@venema.h4ckr.net, Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] ath9k: Fix read buffer overflow
References: <4A7CA188.1070706@gmail.com>
	<20090810202622.GB6060@tuxdriver.com>
In-Reply-To: <20090810202622.GB6060@tuxdriver.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Roel Kluin Aug. 11, 2009, 6:49 a.m. UTC

Prevent a read of powInfo[-1] in the first iteration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

John W. Linville Aug. 11, 2009, 6:25 p.m. UTC | #1

Comments from the ath9k crowd?

On Tue, Aug 11, 2009 at 08:49:08AM +0200, Roel Kluin wrote:
> Prevent a read of powInfo[-1] in the first iteration.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
> index ce0e86c..e67db2c 100644
> --- a/drivers/net/wireless/ath/ath9k/eeprom.c
> +++ b/drivers/net/wireless/ath/ath9k/eeprom.c
> @@ -150,10 +150,10 @@ static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
>  						       IS_CHAN_2GHZ(chan))) {
>  				matchIndex = i;
>  				break;
> -			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> -						      IS_CHAN_2GHZ(chan))) &&
> -				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> -						      IS_CHAN_2GHZ(chan)))) {
> +			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> +				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> +						IS_CHAN_2GHZ(chan))) {
>  				lowIndex = i - 1;
>  				break;
>  			}
> @@ -268,10 +268,10 @@ static void ath9k_hw_get_target_powers(struct ath_hw *ah,
>  				matchIndex = i;
>  				break;
>  			} else
> -				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> -						       IS_CHAN_2GHZ(chan))) &&
> -				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> -						       IS_CHAN_2GHZ(chan)))) {
> +				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> +				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> +						IS_CHAN_2GHZ(chan))) {
>  					lowIndex = i - 1;
>  					break;
>  				}
>

John W. Linville Aug. 20, 2009, 2:52 p.m. UTC | #2

Anybody?

On Tue, Aug 11, 2009 at 02:25:14PM -0400, John W. Linville wrote:
> Comments from the ath9k crowd?
> 
> On Tue, Aug 11, 2009 at 08:49:08AM +0200, Roel Kluin wrote:
> > Prevent a read of powInfo[-1] in the first iteration.
> > 
> > Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> > ---
> > diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
> > index ce0e86c..e67db2c 100644
> > --- a/drivers/net/wireless/ath/ath9k/eeprom.c
> > +++ b/drivers/net/wireless/ath/ath9k/eeprom.c
> > @@ -150,10 +150,10 @@ static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
> >  						       IS_CHAN_2GHZ(chan))) {
> >  				matchIndex = i;
> >  				break;
> > -			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > -						      IS_CHAN_2GHZ(chan))) &&
> > -				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > -						      IS_CHAN_2GHZ(chan)))) {
> > +			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> > +				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > +						IS_CHAN_2GHZ(chan))) {
> >  				lowIndex = i - 1;
> >  				break;
> >  			}
> > @@ -268,10 +268,10 @@ static void ath9k_hw_get_target_powers(struct ath_hw *ah,
> >  				matchIndex = i;
> >  				break;
> >  			} else
> > -				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > -						       IS_CHAN_2GHZ(chan))) &&
> > -				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > -						       IS_CHAN_2GHZ(chan)))) {
> > +				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> > +				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > +						IS_CHAN_2GHZ(chan))) {
> >  					lowIndex = i - 1;
> >  					break;
> >  				}
> > 
> 
> -- 
> John W. Linville		Someday the world will need a hero, and you
> linville@tuxdriver.com			might be all we have.  Be ready.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Luis Rodriguez Aug. 24, 2009, 11:34 p.m. UTC | #3

On Thu, Aug 20, 2009 at 7:52 AM, John W. Linville<linville@tuxdriver.com> wrote:
> Anybody?

Sorry for the delay,

Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>

This is actually pretty sloppy existing code and I'd prefer to see
this nasty POS code rewritten to avoid such nasty checks from the
start. Also notice how both ath9k_hw_get_legacy_target_powers() and
ath9k_hw_get_target_powers() do exactly the same, except they use a
different name for the bool, a different structure for the calibrated
power targets (array size changes on one element of the struct). But
this patch also fixes another not-noted potential negative rade index
access: lowIndex could be -1 under a special circumstance and this
would prevent that negative index access as well on powInfo[lowIndex].
So although this probably just does not happen right now its safer to
have a fix for two of these theoretical negative array index access
than nothing at hand; a proper rewrite of these two routines as I want
it would require quite a few changes here and more testing. Mentally
lets add that to the TODO list..

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
index ce0e86c..e67db2c 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -150,10 +150,10 @@  static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
 						       IS_CHAN_2GHZ(chan))) {
 				matchIndex = i;
 				break;
-			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						      IS_CHAN_2GHZ(chan))) &&
-				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						      IS_CHAN_2GHZ(chan)))) {
+			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						IS_CHAN_2GHZ(chan)) && i > 0 &&
+				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						IS_CHAN_2GHZ(chan))) {
 				lowIndex = i - 1;
 				break;
 			}
@@ -268,10 +268,10 @@  static void ath9k_hw_get_target_powers(struct ath_hw *ah,
 				matchIndex = i;
 				break;
 			} else
-				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						       IS_CHAN_2GHZ(chan))) &&
-				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						       IS_CHAN_2GHZ(chan)))) {
+				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						IS_CHAN_2GHZ(chan)) && i > 0 &&
+				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						IS_CHAN_2GHZ(chan))) {
 					lowIndex = i - 1;
 					break;
 				}

ath9k: Fix read buffer overflow

Commit Message

Comments

Patch