Search Linux Wireless

Re: [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 19 September 2022 17:01:35 CEST Lech Perczak wrote:
>
> From: Paweł Lenkow <pawel.lenkow@xxxxxxxxxxxxxxx>
> 
> During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
> we discovered a memory corruption on the system, tracing back to the wfx
> driver. Using kfence, it was possible to trace it back to the root
> cause, which is hw->max_rates set to 8 in wfx_init_common,
> while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
> 
> This causes array out-of-bounds writes during updates of the rate table,
> as seen below:
> 
> BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
> 
> Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
> 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
> kfree_rcu_work+0x320/0x36c
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c
> 0x0
> 
> kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
> 
> allocated by task 297 on cpu 0 at 631.039555s:
> minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
> rate_control_tx_status+0xb4/0x148 [mac80211]
> ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
> ieee80211_tx_status+0xe0/0x118 [mac80211]
> ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
> tasklet_action_common.constprop.0+0x11c/0x148
> __do_softirq+0x1a4/0x61c
> irq_exit+0xcc/0x104
> call_with_stack+0x18/0x20
> __irq_svc+0x80/0xb0
> wq_worker_sleeping+0x10/0x100
> wq_worker_sleeping+0x10/0x100
> schedule+0x50/0xe0
> schedule_timeout+0x2e0/0x474
> wait_for_completion+0xdc/0x1ec
> mmc_wait_for_req_done+0xc4/0xf8
> mmc_io_rw_extended+0x3b4/0x4ec
> sdio_io_rw_ext_helper+0x290/0x384
> sdio_memcpy_toio+0x30/0x38
> wfx_sdio_copy_to_io+0x88/0x108 [wfx]
> wfx_data_write+0x88/0x1f0 [wfx]
> bh_work+0x1c8/0xcc0 [wfx]
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c 0x0
> 
> After discussion on the wireless mailing list it was clarified
> that the issue has been introduced by:
> commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
> 
> Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@xxxxxxxxxxxxxxx
> Cc: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx>
> Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> Cc: Peter Seiderer <ps.report@xxxxxxx>
> Cc: Kalle Valo <kvalo@xxxxxxxxxx>
> Cc: Krzysztof Drobiński <krzysztof.drobinski@xxxxxxxxxxxxxxx>,
> Signed-off-by: Paweł Lenkow <pawel.lenkow@xxxxxxxxxxxxxxx>
> Signed-off-by: Lech Perczak <lech.perczak@xxxxxxxxxxxxxxx>

Reviewed-by: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx>

[...]

-- 
Jérôme Pouiller
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux