[PATCH v2] wifi: ath12k: Fix buffer overflow when scanning with extraie

Jeff Johnson quic_jjohnson at quicinc.com
Wed Aug 9 10:31:23 PDT 2023 

On 8/9/2023 1:12 AM, Wen Gong wrote:
> If cfg80211 is providing extraie's for a scanning process then ath12k will
> copy that over to the firmware. The extraie.len is a 32 bit value in struct
> element_info and describes the amount of bytes for the vendor information
> elements.
> 
> The problem is the allocation of the buffer. It has to align the TLV
> sections by 4 bytes. But the code was using an u8 to store the newly
> calculated length of this section (with alignment). And the new
> calculated length was then used to allocate the skbuff. But the actual
> code to copy in the data is using the extraie.len and not the calculated
> "aligned" length.
> 
> The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled
> was 264 bytes during tests with a wifi card. But it only allocated 8
> bytes (264 bytes % 256) for it. As consequence, the code to memcpy the
> extraie into the skb was then just overwriting data after skb->end. Things
> like shinfo were therefore corrupted. This could usually be seen by a crash
> in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus
> address).
> 
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
> 
> Signed-off-by: Wen Gong <quic_wgong at quicinc.com>

Reviewed-by: Jeff Johnson <quic_jjohnson at quicinc.com>

> ---
> v2: seperate to another patch per johannes.
> 
>   drivers/net/wireless/ath/ath12k/wmi.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
> index 9ed33e2d6da0..cc9a377c06fd 100644
> --- a/drivers/net/wireless/ath/ath12k/wmi.c
> +++ b/drivers/net/wireless/ath/ath12k/wmi.c
> @@ -2221,8 +2221,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
>   	struct wmi_tlv *tlv;
>   	void *ptr;
>   	int i, ret, len;
> -	u32 *tmp_ptr;
> -	u8 extraie_len_with_pad = 0;
> +	u32 *tmp_ptr, extraie_len_with_pad = 0;
>   	struct ath12k_wmi_hint_short_ssid_arg *s_ssid = NULL;
>   	struct ath12k_wmi_hint_bssid_arg *hint_bssid = NULL;
>   
> 
> base-commit: 3f257461ab0ab19806bae2bfde4c3cd88dbf050e

More information about the ath12k mailing list