Search Linux Wireless

Re: [PATCH 08/18] carl9170: prevent bounds-check bypass via speculative execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jan 6, 2018 at 6:23 AM, Christian Lamparter <chunkeey@xxxxxxxxx> wrote:
> On Saturday, January 6, 2018 2:10:37 AM CET Dan Williams wrote:
>> Static analysis reports that 'queue' may be a user controlled value that
>> is used as a data dependency to read from the 'ar9170_qmap' array. In
>> order to avoid potential leaks of kernel memory values, block
>> speculative execution of the instruction stream that could issue reads
>> based on an invalid result of 'ar9170_qmap[queue]'. In this case the
>> value of 'ar9170_qmap[queue]' is immediately reused as an index to the
>> 'ar->edcf' array.
>>
>> Based on an original patch by Elena Reshetova.
>>
>> Cc: Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>
>> Cc: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
>> Cc: linux-wireless@xxxxxxxxxxxxxxx
>> Cc: netdev@xxxxxxxxxxxxxxx
>> Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
>> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
>> ---
>>  drivers/net/wireless/ath/carl9170/main.c |    6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
>> index 988c8857d78c..0ff34cbe2b62 100644
>> --- a/drivers/net/wireless/ath/carl9170/main.c
>> +++ b/drivers/net/wireless/ath/carl9170/main.c
>> @@ -41,6 +41,7 @@
>>  #include <linux/module.h>
>>  #include <linux/etherdevice.h>
>>  #include <linux/random.h>
>> +#include <linux/compiler.h>
>>  #include <net/mac80211.h>
>>  #include <net/cfg80211.h>
>>  #include "hw.h"
>> @@ -1384,11 +1385,12 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,
>>                              const struct ieee80211_tx_queue_params *param)
>>  {
>>       struct ar9170 *ar = hw->priv;
>> +     const u8 *elem;
>>       int ret;
>>
>>       mutex_lock(&ar->mutex);
>> -     if (queue < ar->hw->queues) {
>> -             memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
>> +     if ((elem = nospec_array_ptr(ar9170_qmap, queue, ar->hw->queues))) {
>> +             memcpy(&ar->edcf[*elem], param, sizeof(*param));
>>               ret = carl9170_set_qos(ar);
>>       } else {
>>               ret = -EINVAL;
>>
>>
> About the "queue" in carl9170_op_conf_tx, p54_conf_tx and cw1200_conf_tx:
>
> The only way a user can set this in any meaningful way would be via
> a NL80211_CMD_SET_WIPHY netlink message. However, the value will get
> vetted there by cfg80211's parse_txq_params [0]. This is long before
> it reaches any of the *_op_conf_tx functions.
>
> And Furthermore a invalid queue (param->ac) would cause a crash in
> this line in mac80211 before it even reaches the driver [1]:
> |       sdata->tx_conf[params->ac] = p;
> |                   ^^^^^^^^
> |       if (drv_conf_tx(local, sdata, >>>> params->ac <<<<, &p)) {
> |        ^^ (this is a wrapper for the *_op_conf_tx)
>
> I don't think these chin-up exercises are needed.

Quite the contrary, you've identified a better place in the call stack
to sanitize the input and disable speculation. Then we can kill the
whole class of the wireless driver reports at once it seems.



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux