On 14 December 2017 at 14:21, Kalle Valo <kvalo@xxxxxxxxxxxxxxxx> wrote: > Christian Lamparter <chunkeey@xxxxxxxxx> writes: > >> On Monday, November 20, 2017 11:57:21 AM CET Kalle Valo wrote: >>> Christian Lamparter <chunkeey@xxxxxxxxx> writes: >>> >>> > On Wednesday, November 1, 2017 9:37:53 PM CET Sebastian Gottschall wrote: >>> >> a additional array bounds check would be good >>> > >>> > Ah, about that: >>> > >>> > the bw variable in ath10k_htt_rx_h_rates() is extracted from info2 >>> > in the following way [0]: >>> > | bw = info2 & 3; >>> > >>> > the txrate.bw variable in ath10k_update_per_peer_tx_stats() is set by [1]: >>> > | txrate.bw = ATH10K_HW_BW(peer_stats->flags); >>> > >>> > ATH10K_HW_BW is a macro defined as [2]: >>> > | #define ATH10K_HW_BW(flags) (((flags) >> 3) & 0x3) >>> > >>> > In both cases the bandwidth values already are limited to 0-3 by >>> > the "and 3" operation. >>> >>> Until someone changes that part of the code (and the firmware >>> interface). IMHO a switch is safer as there we don't have any risk of >>> out of bands access. >> >> The kbuild-bot/CI can catch this too. >> >> For example, it will look like this: >> drivers/net/wireless/ath/ath10k//htt_rx.c:710:52: warning: invalid >> access past the end of 'ath10k_bw_to_mac80211' (4 4) > > Sure, but after reading about all these security vulnerabilities I have > become even more cautious and try to avoid all tricky stuff. > >> BTW: >> Have you noticed: >> >> <https://github.com/lede-project/source/blob/master/package/kernel/mac80211/patches/319-ath10k-fix-recent-bandwidth-conversion-bug.patch> >> >> Is this really your signed-off-by or not? > > I suspect that patch is taken from my pending branch. > >> In any case, you - as the maintainer - can modify the patch as >> you see fit. So, please do so. > > Ok, we'll send v2. Hi Kalle, I'm trying to figure out the fate of that LEDE's patch. I don't think you ever sent V2. Is that fix still needed? Are you planning to send V2? -- Rafał
