Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp634923ybt; Fri, 19 Jun 2020 09:50:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvyQmFxeMl7arOYkKPVmJvetxF3ndz4wDZ/T9UJOjwkmUlESxbMQyEIo2LHRCBsXvpiA7J X-Received: by 2002:a17:906:971a:: with SMTP id k26mr4242345ejx.230.1592585426842; Fri, 19 Jun 2020 09:50:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592585426; cv=none; d=google.com; s=arc-20160816; b=KbxlzokPkuWYIsl5U+r7iJaiZJJW1WJeN5qousUZtmLMIrMLyVcO5hjvEiuuHNqfFB F2LyniLXb3uR/OZrB2WqheLJyEwM3yVqSqDWa8KPPlVIR1TFdBWGhSe78Rv4Heo1q4Vx YZuElj73/CBLHgwr2nDLy3OF3ZlaDrQupmfQNW2DSOtjv7GU7FNQ5ei4S/6xg0CYolhU ceN8okbMTWCCEclk2UmrYh+0QS41RWGT33BwNAbDEOKZwkFSBEZSnCrOyuWMaD+q8XOr iGYgOKbuCuCxxgfqAXskWuBWWg7fGVFdlfax05slOaZvNJuqKyz27m4wmyDJ4+Nt5Mgh cf0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=M7vv71rCIW9I/wRlnlm8dxJi9wzhuQK4IYQ03sNUNyw=; b=pKo3PvMI71rGeC49niNmoc2aAGbQSgAFRJv+aZFzpl9i5Vq/9Ij1AsEZhIVS6WOYAs CZZxPA5qSiB4gL6LzJgUDAvC/J8ztg66eLJFrektAcd/CCdp5i6Ln+HQ9J4Jpa2RLIbb CtlhGq6BI+hoG/3TCz7xWmt4fta7ge8bUGGL8EsYzVJoyXCzLim/cC9Hy+H6+Wnh3Vaf KCXRu3y9Po9RvO5o+5Kxr+PwWSsTr1F5I4f4ICeeWPU+bJGgAM1Rc1R1oosnzbeWOAjS 6Osd85VDKPzqoe8HVLquhTy7qGXfmHSNUJfykA6BlQoAtRft1EjwYSngCqKqtHVwbq83 U82Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Yn5lyytj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i21si4115828ejj.293.2020.06.19.09.50.04; Fri, 19 Jun 2020 09:50:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Yn5lyytj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387734AbgFSOl0 (ORCPT + 99 others); Fri, 19 Jun 2020 10:41:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:59770 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388221AbgFSOlT (ORCPT ); Fri, 19 Jun 2020 10:41:19 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89A1221527; Fri, 19 Jun 2020 14:41:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592577679; bh=kq7xnAF9snUBez46/Ih5rjBI7O4wxsDS2jImrawFsYc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Yn5lyytj1cVATiFPD0cupf9E0KL75dtKW2BVygbIXgWPWVDH8en4hS7IPeGvew26U Qu2JHcLTC7LcH6m1hT/hHAQ1BeaZPS9rJCxYEAwcayw+1uoMId/+VYsO0FrlIJ1cV/ Z+meDMlkmlqLbY+ikg40izWVJFJISduYlw76wLpw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qiujun Huang , Kalle Valo , syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com Subject: [PATCH 4.9 044/128] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Date: Fri, 19 Jun 2020 16:32:18 +0200 Message-Id: <20200619141622.548236961@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141620.148019466@linuxfoundation.org> References: <20200619141620.148019466@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qiujun Huang commit e4ff08a4d727146bb6717a39a8d399d834654345 upstream. Write out of slab bounds. We should check epid. The case reported by syzbot: https://lore.kernel.org/linux-usb/0000000000006ac55b05a1c05d72@google.com BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443 Write of size 2 at addr ffff8881cea291f0 by task swapper/1/0 Call Trace: htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline] ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443 ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 Reported-and-tested-by: syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200404041838.10426-4-hqjagain@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -114,6 +114,9 @@ static void htc_process_conn_rsp(struct if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { epid = svc_rspmsg->endpoint_id; + if (epid < 0 || epid >= ENDPOINT_MAX) + return; + service_id = be16_to_cpu(svc_rspmsg->service_id); max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); endpoint = &target->endpoint[epid];