[SRU,Xenial] UBUNTU: SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash

Message ID 1548845657-7793-1-git-send-email-siva8118@gmail.com
State New
Headers show
Series
  • [SRU,Xenial] UBUNTU: SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash
Related show

Commit Message

Siva Rebbagondla Jan. 30, 2019, 10:54 a.m.
From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>

BugLink: https://bugs.launchpad.net/bugs/1813869

When mac spoof is enabled in userspace and scan gets triggered with custom
mac address, driver is not handling custom mac addresses properly and
causing kernel crash. This could be fixed by copying custom mac addess to
mac address.

...skipping...
[ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
[ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
[ 49.147555] PGD 0
[ 49.149799] Oops: 0000 [#1] SMP
[ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu
[ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017
[ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
[ 49.357435] Stack:
[ 49.359675]  ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000
[ 49.367971]  ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457
[ 49.376267]  00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000
[ 49.384561] Call Trace:
[ 49.387307]  [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x]
[ 49.395784]  [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x]
[ 49.403486]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
[ 49.409633]  [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
[ 49.416164]  [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
[ 49.422306]  [<ffffffff8109f170>] ? process_one_work+0x490/0x490
[ 49.429032]  [<ffffffff810a5587>] kthread+0xe7/0x100
[ 49.434589]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
[ 49.440731]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
[ 49.448042]  [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
[ 49.454086]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0

Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
---
 ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

Comments

Stefan Bader Feb. 4, 2019, 11:22 a.m. | #1
On 30.01.19 11:54, Siva Rebbagondla wrote:
> From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1813869
> 
> When mac spoof is enabled in userspace and scan gets triggered with custom
> mac address, driver is not handling custom mac addresses properly and
> causing kernel crash. This could be fixed by copying custom mac addess to
> mac address.
> 
> ...skipping...
> [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
> [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
> [ 49.147555] PGD 0
> [ 49.149799] Oops: 0000 [#1] SMP
> [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu
> [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017
> [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
> [ 49.357435] Stack:
> [ 49.359675]  ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000
> [ 49.367971]  ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457
> [ 49.376267]  00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000
> [ 49.384561] Call Trace:
> [ 49.387307]  [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x]
> [ 49.395784]  [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x]
> [ 49.403486]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.409633]  [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
> [ 49.416164]  [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
> [ 49.422306]  [<ffffffff8109f170>] ? process_one_work+0x490/0x490
> [ 49.429032]  [<ffffffff810a5587>] kthread+0xe7/0x100
> [ 49.434589]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.440731]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> [ 49.448042]  [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
> [ 49.454086]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> 
> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c
> index 78702ff24532..f6a075824e60 100644
> --- a/ubuntu/rsi/rsi_91x_mac80211.c
> +++ b/ubuntu/rsi/rsi_91x_mac80211.c
> @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = {
>  };
>  #endif
>  
> +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t)
> +{
> +	u8 addr[ETH_ALEN] = {0};
> +
> +	if (!memcmp(addr, addr_t, ETH_ALEN)) {
> +		ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__);
> +		return -1;
> +	} else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) {
> +		memcpy(common->mac_addr, addr_t, ETH_ALEN);
> +	}
> +	return 0;
> +}
> +
>  struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac)
>  {
>  	u8 i;
> @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
>  	/* Scan already in progress. So return */
>  	if (common->bgscan_en || common->scan_in_prog)
>  		return -EBUSY;
> +	if (rsi_validate_mac_addr(common, vif->addr))
> +		return -ENODEV;
>  
>  	cancel_work_sync(&common->scan_work);
>  	mutex_lock(&common->mutex);
> @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw,
>  	struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1];
>  	struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf;
>  
> +#ifndef CONFIG_VEN_RSI_P2P
> +	if (rsi_validate_mac_addr(common, wlh->addr2)) {
> +		ieee80211_free_txskb(common->priv->hw, skb);
> +		return;
> +	}
> +#endif
> +
>  #ifdef CONFIG_VEN_RSI_WOW
>  	if (common->wow_flags & RSI_WOW_ENABLED) {
>  		ieee80211_free_txskb(common->priv->hw, skb);
>
Kleber Souza Feb. 4, 2019, 11:34 a.m. | #2
On 1/30/19 11:54 AM, Siva Rebbagondla wrote:
> From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1813869
>
> When mac spoof is enabled in userspace and scan gets triggered with custom
> mac address, driver is not handling custom mac addresses properly and
> causing kernel crash. This could be fixed by copying custom mac addess to
> mac address.
>
> ...skipping...
> [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
> [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
> [ 49.147555] PGD 0
> [ 49.149799] Oops: 0000 [#1] SMP
> [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu
> [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017
> [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
> [ 49.357435] Stack:
> [ 49.359675]  ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000
> [ 49.367971]  ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457
> [ 49.376267]  00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000
> [ 49.384561] Call Trace:
> [ 49.387307]  [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x]
> [ 49.395784]  [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x]
> [ 49.403486]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.409633]  [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
> [ 49.416164]  [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
> [ 49.422306]  [<ffffffff8109f170>] ? process_one_work+0x490/0x490
> [ 49.429032]  [<ffffffff810a5587>] kthread+0xe7/0x100
> [ 49.434589]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.440731]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> [ 49.448042]  [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
> [ 49.454086]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
>
> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>


Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>


> ---
>  ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
>
> diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c
> index 78702ff24532..f6a075824e60 100644
> --- a/ubuntu/rsi/rsi_91x_mac80211.c
> +++ b/ubuntu/rsi/rsi_91x_mac80211.c
> @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = {
>  };
>  #endif
>  
> +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t)
> +{
> +	u8 addr[ETH_ALEN] = {0};
> +
> +	if (!memcmp(addr, addr_t, ETH_ALEN)) {
> +		ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__);
> +		return -1;
> +	} else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) {
> +		memcpy(common->mac_addr, addr_t, ETH_ALEN);
> +	}
> +	return 0;
> +}
> +
>  struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac)
>  {
>  	u8 i;
> @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
>  	/* Scan already in progress. So return */
>  	if (common->bgscan_en || common->scan_in_prog)
>  		return -EBUSY;
> +	if (rsi_validate_mac_addr(common, vif->addr))
> +		return -ENODEV;
>  
>  	cancel_work_sync(&common->scan_work);
>  	mutex_lock(&common->mutex);
> @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw,
>  	struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1];
>  	struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf;
>  
> +#ifndef CONFIG_VEN_RSI_P2P
> +	if (rsi_validate_mac_addr(common, wlh->addr2)) {
> +		ieee80211_free_txskb(common->priv->hw, skb);
> +		return;
> +	}
> +#endif
> +
>  #ifdef CONFIG_VEN_RSI_WOW
>  	if (common->wow_flags & RSI_WOW_ENABLED) {
>  		ieee80211_free_txskb(common->priv->hw, skb);
Khaled Elmously Feb. 5, 2019, 5:18 a.m. | #3
On 2019-01-30 16:24:17 , Siva Rebbagondla wrote:
> From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1813869
> 
> When mac spoof is enabled in userspace and scan gets triggered with custom
> mac address, driver is not handling custom mac addresses properly and
> causing kernel crash. This could be fixed by copying custom mac addess to
> mac address.
> 
> ...skipping...
> [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
> [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
> [ 49.147555] PGD 0
> [ 49.149799] Oops: 0000 [#1] SMP
> [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu
> [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017
> [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
> [ 49.357435] Stack:
> [ 49.359675]  ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000
> [ 49.367971]  ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457
> [ 49.376267]  00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000
> [ 49.384561] Call Trace:
> [ 49.387307]  [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x]
> [ 49.395784]  [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x]
> [ 49.403486]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.409633]  [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
> [ 49.416164]  [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
> [ 49.422306]  [<ffffffff8109f170>] ? process_one_work+0x490/0x490
> [ 49.429032]  [<ffffffff810a5587>] kthread+0xe7/0x100
> [ 49.434589]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.440731]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> [ 49.448042]  [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
> [ 49.454086]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> 
> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
> ---
>  ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c
> index 78702ff24532..f6a075824e60 100644
> --- a/ubuntu/rsi/rsi_91x_mac80211.c
> +++ b/ubuntu/rsi/rsi_91x_mac80211.c
> @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = {
>  };
>  #endif
>  
> +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t)
> +{
> +	u8 addr[ETH_ALEN] = {0};
> +
> +	if (!memcmp(addr, addr_t, ETH_ALEN)) {
> +		ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__);
> +		return -1;
> +	} else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) {
> +		memcpy(common->mac_addr, addr_t, ETH_ALEN);
> +	}
> +	return 0;
> +}
> +
>  struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac)
>  {
>  	u8 i;
> @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
>  	/* Scan already in progress. So return */
>  	if (common->bgscan_en || common->scan_in_prog)
>  		return -EBUSY;
> +	if (rsi_validate_mac_addr(common, vif->addr))
> +		return -ENODEV;
>  
>  	cancel_work_sync(&common->scan_work);
>  	mutex_lock(&common->mutex);
> @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw,
>  	struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1];
>  	struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf;
>  
> +#ifndef CONFIG_VEN_RSI_P2P
> +	if (rsi_validate_mac_addr(common, wlh->addr2)) {
> +		ieee80211_free_txskb(common->priv->hw, skb);
> +		return;
> +	}
> +#endif
> +
>  #ifdef CONFIG_VEN_RSI_WOW
>  	if (common->wow_flags & RSI_WOW_ENABLED) {
>  		ieee80211_free_txskb(common->priv->hw, skb);
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch

diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c
index 78702ff24532..f6a075824e60 100644
--- a/ubuntu/rsi/rsi_91x_mac80211.c
+++ b/ubuntu/rsi/rsi_91x_mac80211.c
@@ -216,6 +216,19 @@  static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = {
 };
 #endif
 
+static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t)
+{
+	u8 addr[ETH_ALEN] = {0};
+
+	if (!memcmp(addr, addr_t, ETH_ALEN)) {
+		ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__);
+		return -1;
+	} else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) {
+		memcpy(common->mac_addr, addr_t, ETH_ALEN);
+	}
+	return 0;
+}
+
 struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac)
 {
 	u8 i;
@@ -375,6 +388,8 @@  static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
 	/* Scan already in progress. So return */
 	if (common->bgscan_en || common->scan_in_prog)
 		return -EBUSY;
+	if (rsi_validate_mac_addr(common, vif->addr))
+		return -ENODEV;
 
 	cancel_work_sync(&common->scan_work);
 	mutex_lock(&common->mutex);
@@ -554,6 +569,13 @@  static void rsi_mac80211_tx(struct ieee80211_hw *hw,
 	struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1];
 	struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf;
 
+#ifndef CONFIG_VEN_RSI_P2P
+	if (rsi_validate_mac_addr(common, wlh->addr2)) {
+		ieee80211_free_txskb(common->priv->hw, skb);
+		return;
+	}
+#endif
+
 #ifdef CONFIG_VEN_RSI_WOW
 	if (common->wow_flags & RSI_WOW_ENABLED) {
 		ieee80211_free_txskb(common->priv->hw, skb);