From patchwork Fri Aug 14 09:05:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrien Schildknecht X-Patchwork-Id: 507318 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A563A140216 for ; Fri, 14 Aug 2015 19:06:20 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754655AbbHNJGG (ORCPT ); Fri, 14 Aug 2015 05:06:06 -0400 Received: from mail-wi0-f177.google.com ([209.85.212.177]:35190 "EHLO mail-wi0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754396AbbHNJGC (ORCPT ); Fri, 14 Aug 2015 05:06:02 -0400 Received: by wicne3 with SMTP id ne3so11893611wic.0 for ; Fri, 14 Aug 2015 02:06:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qiV3eR5dxCUA6lkvmYDiP2FhU6QzAwwt5ftCP06k3Uc=; b=lgTeZSXz3UWRxyRkl3g2jTSRDuIf9eyUf3pAaU0ybI1+CaTm14IJwwWiWiaYBbAzPZ Qw8J88TEoE12jqZP0hK2U2/at1KA1xC5MvnNB7K0nOZVUyBn4G7LX+sutG4L1pbe2R6N xkjqEI20qho7gBNJfr7msepIPPylpLVsWnIKEMcQBUzgxwnpeJNCcew1gcO/dWoG+i2E ZDrTC57OoZK5yfnFRCEFV6/TEAUsa4cZvn9WGhYrYZiOnWulvISDxs+2OUcMIKRout5I +mtAPjkCGjZWi9L4kY4CbvSsdclpiFXagGQWNxmWVwpM7GrpkIzm6q6g2nPk9hBFjKKk v3mA== X-Gm-Message-State: ALoCoQleYGDjZ2mxbeyBc5TUqEN8/CtdIneEz6wIgUcoJImlcz2/+baU2YaJFiLTjBh/wryLiL6i X-Received: by 10.180.36.129 with SMTP id q1mr4997490wij.10.1439543160158; Fri, 14 Aug 2015 02:06:00 -0700 (PDT) Received: from localhost.localdomain (AStrasbourg-256-1-156-90.w90-48.abo.wanadoo.fr. [90.48.43.90]) by smtp.gmail.com with ESMTPSA id 4sm7175107wjt.46.2015.08.14.02.05.58 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 14 Aug 2015 02:05:58 -0700 (PDT) From: Adrien Schildknecht To: johannes.berg@intel.com, emmanuel.grumbach@intel.com Cc: ilw@linux.intel.com, kvalo@codeaurora.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Adrien Schildknecht Subject: [PATCH v2] iwlwifi: out-of-bounds access in iwl_init_sband_channels Date: Fri, 14 Aug 2015 11:05:46 +0200 Message-Id: <1439543146-18938-1-git-send-email-adrien+dev@schischi.me> X-Mailer: git-send-email 2.5.0 In-Reply-To: <87h9o2l4ts.fsf@kamboji.qca.qualcomm.com> References: <87h9o2l4ts.fsf@kamboji.qca.qualcomm.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org KASan error report: ================================================================== BUG: KASan: out of bounds access in iwl_init_sband_channels+0x207/0x260 [iwlwifi] at addr ffff8800c2d0aac8 Read of size 4 by task modprobe/329 ================================================================== Both loops of this function compare data from the 'chan' array and then check if the index is valid. The 2 conditions should be inverted to avoid an out-of-bounds access. Signed-off-by: Adrien Schildknecht --- drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c index 21302b6..acc3d18 100644 --- a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c +++ b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c @@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data, struct ieee80211_channel *chan = &data->channels[0]; int n = 0, idx = 0; - while (chan->band != band && idx < n_channels) + while (idx < n_channels && chan->band != band) chan = &data->channels[++idx]; sband->channels = &data->channels[idx]; - while (chan->band == band && idx < n_channels) { + while (idx < n_channels && chan->band == band) { chan = &data->channels[++idx]; n++; }