Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3425183ybl;
        Sun, 1 Sep 2019 12:47:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzV76luoVFw+7jXNS3TiIideVRC7HRmvFvkKIUwMl1AWETMCo5PNeAF6vPzHsSeEuuQUheB
X-Received: by 2002:a17:902:e686:: with SMTP id cn6mr26890006plb.12.1567367227462;
        Sun, 01 Sep 2019 12:47:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567367227; cv=none;
        d=google.com; s=arc-20160816;
        b=nvhgtv0nKM5vlNS+32R6qCWft4PgmXi+gMAiMLOuXUqSVaNLZiN9/vUlh4EMrp3g/Y
         IEYnbJt0NPVjxbcWnigr0HPvP+We5DuFHN6ulzz1wjDnbMBp6zVpoYA2Ms1/+U2ALXQu
         OyE42Z8TIUlfhONAI5HEk9u1CKClCF6FzxTr7kgozG44o/WDwaUaD0TvilkTnDZkT3Ni
         C6RoXTvv7WHjs2R8lbsWcYySq5FspbRdw1QrZIhYjGJp2KWNGDTrk0Ltqh5mZJ6koGsc
         owoSCH6jSwT4iMf0hbp6Y4g7em9XKYP8Ws3+ZCLNv5vZHAYXHNFw15DPzObCq9no/YF8
         SKow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:references:subject:cc:to
         :from:dkim-signature;
        bh=exATxEDmVr8tY6PaCJvDBgnaUkdR9wAvkh7ugWPQO1Q=;
        b=uZjXPvDNH8l3yjQ5M/qvEon17kLnppm/zp3HkNwCCS/Z7dgPWmbsL6rytr8n+Wijif
         jgqslNDRIBUG98gmQ/INKn76DA9GJvMUgO+rcN9QuwPi7EfNuBcPKysclOFGvVBKlZnR
         1Zxv4OdbEINt4VSC94MFBU1nInwVymO1gTdqY4mEPX840YHcTtUEUlMoDV3TFZrJf7y+
         UgbohmQBsu+pm8Fu/jtECxjnNZBA4f5oTUrIll2CeffTfQhW8zou2L59REOfuCALWGTf
         ZigiAWem2kBF8zX5nqdyGeK3QF2gFjDPZhYn+UdIxIux09TtgSXAmCJlXQ1CQbUrjEig
         GfDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=n7yyqs0Z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w10si10093388pll.357.2019.09.01.12.46.52;
        Sun, 01 Sep 2019 12:47:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=n7yyqs0Z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728934AbfIATqC (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Sun, 1 Sep 2019 15:46:02 -0400
Received: from mail-io1-f67.google.com ([209.85.166.67]:37919 "EHLO
        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727517AbfIATqC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Sep 2019 15:46:02 -0400
Received: by mail-io1-f67.google.com with SMTP id p12so25172649iog.5;
        Sun, 01 Sep 2019 12:46:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:references:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=exATxEDmVr8tY6PaCJvDBgnaUkdR9wAvkh7ugWPQO1Q=;
        b=n7yyqs0ZR2xE5OTPJqC89jRK0yhI+I0BvGnhxY0Ky14lTnNmu4jhvTgsRNd+H7qPGY
         BUUxu56UaShPGyBxZCApNsbsVT8DzGDIzLMNOMlrbMDtXka40+8w5RztQ2T/bDqppqfu
         cIe/chZKnRBDLJD4khJtGaa5tLQUf0bRg31sKka3LPH3H3vxZ8dmu8D/LA1y/x4ezTPH
         M1Qz+ReQYjER9Ap4bJGNiDaB1qAI7aD6j9DYLgMHGFdA75NDBsTHZD2Hog4T2Jspm9hh
         7H9M3wOinAE2XM4v8Zl4tq4P4SVOpRjfVqRosJCGQ1jDsKFs3vq/edvGvxTdTcotmkr+
         N6UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:references:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=exATxEDmVr8tY6PaCJvDBgnaUkdR9wAvkh7ugWPQO1Q=;
        b=CYO+3r5doRtxXrJCpNr393MrzgOLoRlIfZMmTaYAjlb7EzPkTGuodZlD2qF+JaoDFi
         eHN1aGIBo/P81CFG5mAyWDcycZBLrdrjVVbbArjFJ82dpK7bfhmDRa602oBjusRuCdpj
         D1pma1zXk+y35MtYS3MtOl5xg/TuTSLP+FFGVGOonP5UfwRCHy99S7hMtMYCQROrU0AO
         d6IMqeUDwdUqbO5W98SWA5CD0Azw4/kzfpfINfqCgxxdbX0gX24dYynGX9q4tLkTu9h/
         UUybx2sw8hnCELHlSS7ZE0sEXB0qXUmvoh2eBob+HwrHc4vs6rq9yuphUCIunxYtrPE3
         4z1w==
X-Gm-Message-State: APjAAAW8R40IamB+eGWjk1d1Eiu6P8i6KYiyXnNA3RlTLkupPkTva8Fh
        qFyXZHzfhDVnWK2hz6/msqwhrLjJLNWIEw==
X-Received: by 2002:a02:a909:: with SMTP id n9mr12910812jam.57.1567367160836;
        Sun, 01 Sep 2019 12:46:00 -0700 (PDT)
Received: from [10.164.9.36] (cos-128-210-107-27.science.purdue.edu. [128.210.107.27])
        by smtp.gmail.com with ESMTPSA id d9sm9018277ioo.15.2019.09.01.12.45.59
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 01 Sep 2019 12:46:00 -0700 (PDT)
From:   Hui Peng <benquike@gmail.com>
To:     Guenter Roeck <linux@roeck-us.net>
Cc:     kvalo@codeaurora.org, davem@davemloft.net,
        Mathias Payer <mathias.payer@nebelwelt.net>,
        ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in
 ath10k_usb_alloc_urb_from_pipe
References: <20190804003101.11541-1-benquike@gmail.com>
 <20190831213139.GA32507@roeck-us.net>
Message-ID: <8bc83a3f-2c14-1abe-9add-eb9cfca6917f@gmail.com>
Date:   Sun, 1 Sep 2019 15:45:59 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20190831213139.GA32507@roeck-us.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 8/31/19 5:31 PM, Guenter Roeck wrote:
> Hi,
>
> On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
>> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
>> are initialized to point to the containing `ath10k_usb` object
>> according to endpoint descriptors read from the device side, as shown
>> below in `ath10k_usb_setup_pipe_resources`:
>>
>> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>>         endpoint = &iface_desc->endpoint[i].desc;
>>
>>         // get the address from endpoint descriptor
>>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>>                                                 endpoint->bEndpointAddress,
>>                                                 &urbcount);
>>         ......
>>         // select the pipe object
>>         pipe = &ar_usb->pipes[pipe_num];
>>
>>         // initialize the ar_usb field
>>         pipe->ar_usb = ar_usb;
>> }
>>
>> The driver assumes that the addresses reported in endpoint
>> descriptors from device side  to be complete. If a device is
>> malicious and does not report complete addresses, it may trigger
>> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
>> `ath10k_usb_free_urb_to_pipe`.
>>
>> This patch fixes the bug by preventing potential NULL-ptr-deref.
>>
>> Signed-off-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
> and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
> next.
>
> Is the patch going to be applied to the upstream kernel anytime soon ? If
> not, is there reason to believe that its severity may not be as high as the
> CVSS score indicates ?
The score was assigned by MITRE.
Same as previous ones, it is under review, once passed, it will be applied.
> Thanks,
> Guenter
>
>> ---
>>  drivers/net/wireless/ath/ath10k/usb.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
>> index e1420f67f776..14d86627b47f 100644
>> --- a/drivers/net/wireless/ath/ath10k/usb.c
>> +++ b/drivers/net/wireless/ath/ath10k/usb.c
>> @@ -38,6 +38,10 @@ ath10k_usb_alloc_urb_from_pipe(struct ath10k_usb_pipe *pipe)
>>  	struct ath10k_urb_context *urb_context = NULL;
>>  	unsigned long flags;
>>  
>> +	/* bail if this pipe is not initialized */
>> +	if (!pipe->ar_usb)
>> +		return NULL;
>> +
>>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>>  	if (!list_empty(&pipe->urb_list_head)) {
>>  		urb_context = list_first_entry(&pipe->urb_list_head,
>> @@ -55,6 +59,10 @@ static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe,
>>  {
>>  	unsigned long flags;
>>  
>> +	/* bail if this pipe is not initialized */
>> +	if (!pipe->ar_usb)
>> +		return NULL;
>> +
>>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>>  
>>  	pipe->urb_cnt++;
>> -- 
>> 2.22.0
>>