[PATCH v2] wifi: ath12k: Fix buffer overflow when scanning with extraie
Jeff Johnson
quic_jjohnson at quicinc.com
Wed Aug 9 11:16:14 PDT 2023
On 8/9/2023 10:31 AM, Jeff Johnson wrote:
> On 8/9/2023 1:12 AM, Wen Gong wrote:
>> If cfg80211 is providing extraie's for a scanning process then ath12k
>> will
>> copy that over to the firmware. The extraie.len is a 32 bit value in
>> struct
>> element_info and describes the amount of bytes for the vendor information
>> elements.
>>
>> The problem is the allocation of the buffer. It has to align the TLV
>> sections by 4 bytes. But the code was using an u8 to store the newly
>> calculated length of this section (with alignment). And the new
>> calculated length was then used to allocate the skbuff. But the actual
>> code to copy in the data is using the extraie.len and not the calculated
>> "aligned" length.
>>
>> The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled
>> was 264 bytes during tests with a wifi card. But it only allocated 8
>> bytes (264 bytes % 256) for it. As consequence, the code to memcpy the
>> extraie into the skb was then just overwriting data after skb->end.
>> Things
>> like shinfo were therefore corrupted. This could usually be seen by a
>> crash
>> in skb_zcopy_clear which tried to call a ubuf_info callback (using a
>> bogus
>> address).
>>
>> Tested-on: WCN7850 hw2.0 PCI
>> WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
>>
>> Signed-off-by: Wen Gong <quic_wgong at quicinc.com>
>
> Reviewed-by: Jeff Johnson <quic_jjohnson at quicinc.com>
Wen, can you please add a Fixes: tag since based upon the discussion you
actually observed a crash
More information about the ath12k
mailing list