Re: [PATCH] iwlwifi: actually check allocated conf_tlv pointer

Sedat Dilek <sedat.dilek@xxxxxxxxx> · Wed, 8 Apr 2020 11:07:19 +0200

On Mon, Apr 6, 2020 at 9:53 PM Sedat Dilek <sedat.dilek@xxxxxxxxx> wrote:
>
> On Mon, Apr 6, 2020 at 4:11 PM Kalle Valo <kvalo@xxxxxxxxxxxxxx> wrote:
> >
> > Chris Rorvick <chris@xxxxxxxxxxx> wrote:
> >
> > > Commit 71bc0334a637 ("iwlwifi: check allocated pointer when allocating
> > > conf_tlvs") attempted to fix a typoe introduced by commit 17b809c9b22e
> > > ("iwlwifi: dbg: move debug data to a struct") but does not implement the
> > > check correctly.
> > >
> > > This can happen in OOM situations and, when it does, we will potentially try to
> > > dereference a NULL pointer.
> > >
> > > Tweeted-by: @grsecurity
> > > Signed-off-by: Chris Rorvick <chris@xxxxxxxxxxx>
> >
> > Fails to build, please rebase on top of wireless-drivers.
> >
> > drivers/net/wireless/intel/iwlwifi/iwl-drv.c: In function 'iwl_req_fw_callback':
> > drivers/net/wireless/intel/iwlwifi/iwl-drv.c:1470:16: error: 'struct iwl_fw' has no member named 'dbg_conf_tlv'
> >     if (!drv->fw.dbg_conf_tlv[i])
> >                 ^
> > make[5]: *** [drivers/net/wireless/intel/iwlwifi/iwl-drv.o] Error 1
> > make[5]: *** Waiting for unfinished jobs....
> > make[4]: *** [drivers/net/wireless/intel/iwlwifi] Error 2
> > make[3]: *** [drivers/net/wireless/intel] Error 2
> > make[2]: *** [drivers/net/wireless] Error 2
> > make[1]: *** [drivers/net] Error 2
> > make[1]: *** Waiting for unfinished jobs....
> > make: *** [drivers] Error 2
> >
>
> Should be:
>
> $ git diff
> diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> index 0481796f75bc..c24350222133 100644
> --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
> @@ -1467,7 +1467,7 @@ static void iwl_req_fw_callback(const struct
> firmware *ucode_raw, void *context)
>                                 kmemdup(pieces->dbg_conf_tlv[i],
>                                         pieces->dbg_conf_tlv_len[i],
>                                         GFP_KERNEL);

Maybe this diff is clearer:

$ diff iwlwifi-actually-check-allocated-conf_tlv-pointer.patch
iwlwifi-actually-check-allocated-conf_tlv-pointer-v2-dileks.patch
95a96
> Fixes: 71bc0334a637 ("iwlwifi: check allocated pointer when allocating conf_tlvs")
99c100,104
< In this wasn't picked up?
---
>
> [ v1->v2:
>   - Fix typo s/fw.dbg_conf_tlv/fw.dbg.conf_tlv
>   - Add Fixes tag as suggested by Kalle
> -dileks ]
115c120
< +                     if (!drv->fw.dbg_conf_tlv[i])
---
> +                     if (!drv->fw.dbg.conf_tlv[i])

Tested on top of Linux v5.6.3.

- Sedat -