From patchwork Sun Jul 23 20:24:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe JAILLET X-Patchwork-Id: 124547 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1444611vqg; Sun, 23 Jul 2023 14:58:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlHNb4WmT1MAt6WRm6eV4qAJhjFTtNCfkpN9p5H455tQqgBppWmOk/4bbb1ZsECF89YYCLYS X-Received: by 2002:a17:90b:3b8c:b0:263:e18d:fd13 with SMTP id pc12-20020a17090b3b8c00b00263e18dfd13mr7391022pjb.43.1690149519158; Sun, 23 Jul 2023 14:58:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690149519; cv=none; d=google.com; s=arc-20160816; b=LNMqavRXJZM+06stcYwNrK8Z1sb4nSabEZ747duCOh+rQnUPn5G9FOdttlZv8eVT27 vAO4eCzEUuftzzxvQP4bq+Nc0ZCYOanfTFqmP95EnGX2aMnvDZMBctA4Qwu1Ah6w65Hu rpRs0H4zh7ZCdcz4+q2FE6m+2UZ0RxPYP7olXInxI9zY0wXkX3nz+dq3aMn7gOy0UYFx kgJhdd/csIHbESSRdDc9zq7GZb1FowcJon3Y5IWJpUgmbFeaIsHeDMNRlu3kE/dey4uA jpPoxzNopiK01YCYG0RBHgsOn1LbZHROBT6eLC+G0J82akj8tFFRBqYsLtUKVoe+5iw2 dxSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=fiLQ1tlpJj1LRpew92AztLTpxiVgw4Le/tOPPNtRsXs=; fh=D6JbdJb6Xs1PGnIASv0CXsFNGuPX9RBf3hpYgKrSJw4=; b=vIU4DyCkiHpU8oNejHrZ5Tto58ThWzael19fxG+bJmoHv//GByvChlD5iMnuNLqQEv XhQMvpG/vQ5tMYoWDuK1WjR8Q21nCPDoNeqWyeAiZCXHbxOcXlhJ/G7pWz38Pq11Q6PS 5e8cVbiTwws6xvygL9nJww/Tb7mb1TmalFu9qFP68ks0mNkZRT6YQhAlgMUVujyhUiF3 zxhxDZ+dyCNL0B0/iNyrHUHpHhELj2TZM8BOrONb6ofXFO/gTSNMXTte9AEiedfqH5ph YgCEysMMBjC+cQp4VYV1kNQz7nOTDDH8kuIyAEZjqadrPaPHoVFODRItHsslbR74Mn0k T2QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=r7cvxUQ3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mq2-20020a17090b380200b002636d222400si11275855pjb.14.2023.07.23.14.58.20; Sun, 23 Jul 2023 14:58:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=r7cvxUQ3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229749AbjGWUZT (ORCPT + 99 others); Sun, 23 Jul 2023 16:25:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229493AbjGWUZR (ORCPT ); Sun, 23 Jul 2023 16:25:17 -0400 Received: from smtp.smtpout.orange.fr (smtp-21.smtpout.orange.fr [80.12.242.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EB2D1B8 for ; Sun, 23 Jul 2023 13:25:13 -0700 (PDT) Received: from pop-os.home ([86.243.2.178]) by smtp.orange.fr with ESMTPA id NfdYqBzmMQztPNfdZqOQPG; Sun, 23 Jul 2023 22:25:06 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wanadoo.fr; s=t20230301; t=1690143906; bh=fiLQ1tlpJj1LRpew92AztLTpxiVgw4Le/tOPPNtRsXs=; h=From:To:Cc:Subject:Date; b=r7cvxUQ3Y3BP1WuBmUAe9nDSZNt/2yt0WBoq27TFMwsk1hYI94yjHvxVWlsxK+xGr EBxucGGAT6oh9Eu/bkgvIbRgErkMx/6H1gQAJ/E+fq+L3fwSUYIxap5i1g2LSg0NVd gXFgGExfH/LcPokz9R30TDg26K1bdeeEDWDtU8auwXAQ4iu3w68jkcco4ZpwmPerbr pmy0kwj3AzXqmgERYN60g4QLRZ/8mt8UzcpbyUgO/MB0MIOQ7FFAPvE4KCwC7gsVzI 2hcVStpXgPQMJRmCwIID7v9ii/m2c2mh6zP2fTQCl6njBwcP9dG6fHnoIHVLs12ZvX aAmqpcfBsLxOw== X-ME-Helo: pop-os.home X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Sun, 23 Jul 2023 22:25:06 +0200 X-ME-IP: 86.243.2.178 From: Christophe JAILLET To: Gregory Greenman , Kalle Valo , Johannes Berg Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET , linux-wireless@vger.kernel.org Subject: [PATCH wireless] wifi: iwlwifi: mvm: Fix a memory corruption issue Date: Sun, 23 Jul 2023 22:24:59 +0200 Message-Id: <23f0ec986ef1529055f4f93dcb3940a6cf8d9a94.1690143750.git.christophe.jaillet@wanadoo.fr> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,T_SCC_BODY_TEXT_LINE, T_SPF_HELO_TEMPERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772250222013521918 X-GMAIL-MSGID: 1772250222013521918 A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected. Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver") Signed-off-by: Christophe JAILLET --- I've checked in the .s files, and : Before ====== # drivers/net/wireless/intel/iwlwifi/mvm/fw.c:801: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; leaq 1448(%r13), %rax #, tmp248 # drivers/net/wireless/intel/iwlwifi/mvm/fw.c:805: (void *)((u8 *)mvm->nvm_data->channels + 1); leaq 1449(%r13), %rax #, tmp252 After: ===== # drivers/net/wireless/intel/iwlwifi/mvm/fw.c:801: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; leaq 1448(%r13), %rax #, tmp248 # drivers/net/wireless/intel/iwlwifi/mvm/fw.c:805: (void *)(mvm->nvm_data->channels + 1); leaq 1512(%r13), %rax #, tmp252 And on my system sizeof(struct ieee80211_channel) = 64 /!\ This patch is only speculative and untested. /!\ It is strange that a memory corruption issue has been un-noticed for more than 10 years. So review with care. --- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c index 1f5db65a088d..1d5ee4330f29 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c @@ -802,7 +802,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm) mvm->nvm_data->bands[0].n_channels = 1; mvm->nvm_data->bands[0].n_bitrates = 1; mvm->nvm_data->bands[0].bitrates = - (void *)((u8 *)mvm->nvm_data->channels + 1); + (void *)(mvm->nvm_data->channels + 1); mvm->nvm_data->bands[0].bitrates->hw_value = 10; }