Search Linux Wireless

Re: brcmsmac: fix array out-of-bounds access in qm_log10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tobias Regnery <tobias.regnery@xxxxxxxxx> wrote:
> I get the following UBSAN warning during boot on my laptop:
> 
> ================================================================================
> UBSAN: Undefined behaviour in drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:280:21
> index 32 is out of range for type 's16 [32]'
> CPU: 0 PID: 879 Comm: NetworkManager Not tainted 4.9.0-rc4 #28
> Hardware name: LENOVO Lenovo IdeaPad N581/INVALID, BIOS 5ECN96WW(V9.01) 03/14/2013
> ffff8800b74a6478 ffffffff828e59d2 0000000041b58ab3 ffffffff8398330c
> ffffffff828e5920 ffff8800b74a64a0 ffff8800b74a6450 0000000000000020
> 1ffffffff845848c ffffed0016e94bf1 ffffffffc22c2460 000000006b9c0514
> Call Trace:
> [<ffffffff828e59d2>] dump_stack+0xb2/0x110
> [<ffffffff828e5920>] ? _atomic_dec_and_lock+0x150/0x150
> [<ffffffff82968c9d>] ubsan_epilogue+0xd/0x4e
> [<ffffffff82969875>] __ubsan_handle_out_of_bounds+0xfa/0x13e
> [<ffffffff8296977b>] ? __ubsan_handle_shift_out_of_bounds+0x241/0x241
> [<ffffffffc0d48379>] ? bcma_host_pci_read16+0x59/0xa0 [bcma]
> [<ffffffffc0d48388>] ? bcma_host_pci_read16+0x68/0xa0 [bcma]
> [<ffffffffc212ad78>] ? read_phy_reg+0xe8/0x180 [brcmsmac]
> [<ffffffffc2184714>] qm_log10+0x2e4/0x350 [brcmsmac]
> [<ffffffffc2142eb8>] wlc_phy_init_lcnphy+0x538/0x1f20 [brcmsmac]
> [<ffffffffc2142980>] ? wlc_lcnphy_periodic_cal+0x5c0/0x5c0 [brcmsmac]
> [<ffffffffc1ba0c93>] ? ieee80211_open+0xb3/0x110 [mac80211]
> [<ffffffff82f73a02>] ? sk_busy_loop+0x1e2/0x840
> [<ffffffff82f7a6ce>] ? __dev_change_flags+0xae/0x220
> ...
> 
> The report is valid: doing the math in this function, with an input value
> N=63 the variable s16tableIndex gets a value of 31. This value is used as
> an index in the array log_table with 32 entries. But the next line is:
> 
> 	s16errorApproximation = (s16) qm_mulu16(u16offset,
> 				(u16) (log_table[s16tableIndex + 1] -
> 				       log_table[s16tableIndex]));
> 
> With s16tableIndex + 1 we are trying an out-of-bounds access to the array.
> 
> The log_table array provides log2 values in q.15 format and the above
> statement tries an error approximation with the next value. To fix this
> issue add the next value to the array and update the comment accordingly.
> 
> Signed-off-by: Tobias Regnery <tobias.regnery@xxxxxxxxx>

A note to myself: this patch seems to be corrupted in patchwork web interface,
need to check that when commiting the formatting is ok.

-- 
https://patchwork.kernel.org/patch/9439423/

Documentation about submitting wireless patches and checking status
from patchwork:

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches




[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux