Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1740005pxb; Thu, 16 Sep 2021 14:29:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzC2gjri/22P7VWWsI2daF0iheVOClzrKRfHeKpvNTRyE64HxoQugz7rYIluKyTKyS9gphw X-Received: by 2002:a17:906:d8a4:: with SMTP id qc4mr8686957ejb.323.1631827752206; Thu, 16 Sep 2021 14:29:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631827752; cv=none; d=google.com; s=arc-20160816; b=rsX8bGLIdSJyqoJqGna2sp3oGTM2M2PnIQAl01HtMrTcv9FGUncw5x50+9YIfaedPt 4/rCv+ypYxQGSMApNcfJ8BxBB4jJ4obWc3nJgWotwfo4k/OROMxbqZe5lQbNuyyDNUiJ CMw4qQV9+IfQ7qPA3dUTi5/ZWsGFmXoik6EyOsb4LL9RB+IaLvZwePJpxZLNQMZWLKEt 7aHwH4RuXCY8vUagnntgYa3znriXaRAeksj4H5IGToGFClU5ckRyCP4jHMOhLgVIYmKH 9mAPlkAW27MeyQkzQvr7GMPhtxCc5ZNegPfdxUG2i/X2BIJ/rduMYehB2c4ki978Q8IK EVZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cMgiVx/sstbCqEpd6xe062p7DAQJZ7wZj2XgFPEzbWw=; b=TQdzK4239ur6bcTrwQhkxU2UWAcgCp/yQBSgi+8q1vapi7tOe02z/e+Kd9NyIzGctR l2+iH7Pz17lIaLddKrGaNxBh8EC0JXp8zWApahiFQwpEt7C36I8lP7sXw9WGabfD4VVL tqCL8DQZ7E6fg59KdLwXmNMobN+xWHoU2m85f94SG6sGM5blbdO3KIbEihDu5p2iBmYn EcUvhI2C+Qxh08XdsLIGZSVPm9zO+EwnBC7olp7LexciG7dsMPEfcB3db1jXL85K/bwi 3vWF82lc47RQkwPYWD/n2ln2Ed/4fJEoUeRy3FdiwFa4Q5vRgEFY0IfR6z4nnCSB/KpK j+ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Gp6shThJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e4si4128922edc.234.2021.09.16.14.28.46; Thu, 16 Sep 2021 14:29:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Gp6shThJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242389AbhIPQbK (ORCPT + 99 others); Thu, 16 Sep 2021 12:31:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:59974 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241049AbhIPQWc (ORCPT ); Thu, 16 Sep 2021 12:22:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7E9A961414; Thu, 16 Sep 2021 16:15:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631808924; bh=Uh4gAPJjL7EvxAYvjfESQ3h7Yip6zR0rBwfOQmMswjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Gp6shThJbqYg7NyCjPSOWoxw0P4HBJDc8pCnM/8lxHXWC0y6ueWrolZVd90tqvq+K DtU+Pr1RibdXF7liIl6OZ34DPBOJYWL6F3KgAt4Gh2Bt8vlMNoNq5LYDOW15LsSyiL DVoNL+s8cUfLXwm5wEnQQtGYpBRIkuY1rexF1tyI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zekun Shen , Kalle Valo , Sasha Levin Subject: [PATCH 5.10 272/306] ath9k: fix OOB read ar9300_eeprom_restore_internal Date: Thu, 16 Sep 2021 18:00:17 +0200 Message-Id: <20210916155803.349154197@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155753.903069397@linuxfoundation.org> References: <20210916155753.903069397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zekun Shen [ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index b4885a700296..b0a4ca3559fd 100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c @@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", cptr, code, reference, length, major, minor); if ((!AR_SREV_9485(ah) && length >= 1024) || - (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || + (length > cptr)) { ath_dbg(common, EEPROM, "Skipping bad header\n"); cptr -= COMP_HDR_LEN; continue; -- 2.30.2