On Thu, Aug 24, 2023 at 09:10:45PM -0600, Gustavo A. R. Silva wrote: > Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before > decoding data from `event_buf`. > > This prevents any malicious or buggy firmware from overflowing > `event_buf` through large values for `tlv_len` and `tlv_bitmap_len`. > > Suggested-by: Dan Williams <dcbw@xxxxxxxxxx> > Signed-off-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx> > --- > Changes in v2: > - Fix format specifier: %ld -> %zu > | Reported-by: kernel test robot <lkp@xxxxxxxxx> > | Closes: https://lore.kernel.org/oe-kbuild-all/202308240844.leyoOwdG-lkp@xxxxxxxxx/ > > - Update warning messages to explicitly mention that TLV size is > greater than tlv_buf_len. > > v1: > - Link: https://lore.kernel.org/linux-hardening/587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@xxxxxxxxxx/ > > .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > index 735aac52bdc4..10690e82358b 100644 > --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c > @@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, > while (tlv_buf_left > sizeof(*tlv_rxba)) { > tlv_type = le16_to_cpu(tlv_rxba->header.type); > tlv_len = le16_to_cpu(tlv_rxba->header.len); > + if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) { > + mwifiex_dbg(priv->adapter, WARN, > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > + size_add(sizeof(tlv_rxba->header), tlv_len), > + tlv_buf_left); With the suggested change to make this a warning and not dbg: Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> Thanks! -Kees > + return; > + } > + > if (tlv_type != TLV_TYPE_RXBA_SYNC) { > mwifiex_dbg(priv->adapter, ERROR, > "Wrong TLV id=0x%x\n", tlv_type); > @@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, > > tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num); > tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len); > + if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) { > + mwifiex_dbg(priv->adapter, WARN, > + "TLV size (%zu) overflows event_buf buf_left=%d\n", > + size_add(sizeof(*tlv_rxba), tlv_bitmap_len), > + tlv_buf_left); > + return; > + } > + > mwifiex_dbg(priv->adapter, INFO, > "%pM tid=%d seq_num=%d bitmap_len=%d\n", > tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num, > -- > 2.34.1 > -- Kees Cook
