Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1816378pxb; Thu, 16 Sep 2021 16:46:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwA7Fc5Aues8IqWENSH2HxApv8MmXvqLuiuGg2KMy7Svh6o54H7YUtPaLqkmNNxrUyB3HZH X-Received: by 2002:a05:6e02:20e4:: with SMTP id q4mr4022089ilv.58.1631835964669; Thu, 16 Sep 2021 16:46:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631835964; cv=none; d=google.com; s=arc-20160816; b=pfQTi4r+i5QBZNtV8W1PNdNOXKzs4gT4+4Aenwe4eE9MMBq+9YaDvb16XAjX4GzeTG K2DVilLluSsVqEmG7otVAKtgyaZTws9okeAQCvXs3c4EKIK7jbCMtzmUn1mqva0D4++9 t2hbbgFKxV3dr7+qgUaDGq1UK0/wFZ8LSdwtWOg/Q/xVhsczH7YFMHzmdY/e/gqbU/Yk m6BDkELel7MvRdQQbOw+cPSMX+9oZRbc9m/M4i9rdwFz26hd7SWaIB14hbLia98ZjKg1 maul0tYJ5mu0Ufu4oGqAsxjP3AT6auUsGq5exCBCi1ZzkDdroxLjTjFsxZmeOgLVMP7a W8vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cMgiVx/sstbCqEpd6xe062p7DAQJZ7wZj2XgFPEzbWw=; b=VXtJtxUOgLN5KC8l8BaJwZHHfMX4Wz9nMHuhvUMglkgNGlCjVNHpbjx37SaQrovxkd LR4l+nKqd1xvs3O8LBSluHtTabyNL43k49mdjjekmwuImOfEElLTqH/SsNbixZAWvR5+ A09rnJuSVMx5WVyWfgJnhSvFXtD3+XSIqQHg3jQM+CgMVQl0SKW/OpfVTakEznga25oK /i3TW3BCJiZwpzdMaLkOnwW84PpF2A9GDTSZVPIePf9WeQ9ksvPK9vbJJLxrgz0jzuNC XCU9bCaIOJr+/PCCAK9xiOl4VxUg4T2LTPek9SHMpxQUFKivBSr5AvFj0rmTOoKwDRB/ jeHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JOnZX/nM"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m82si3352398ioa.74.2021.09.16.16.45.52; Thu, 16 Sep 2021 16:46:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JOnZX/nM"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345327AbhIPRJD (ORCPT + 99 others); Thu, 16 Sep 2021 13:09:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:52240 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347393AbhIPQ7F (ORCPT ); Thu, 16 Sep 2021 12:59:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C3727613D1; Thu, 16 Sep 2021 16:32:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631809940; bh=Uh4gAPJjL7EvxAYvjfESQ3h7Yip6zR0rBwfOQmMswjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JOnZX/nMf0Ay9Y+uuJJM/jIFbcj2Kz9VSzhybbQM5a90xU1cRzgrQw+LVIVgyGlhl kiDBU1Vo61Mto1I2opOBYHMj4z8rMdrCWQ5XwqK3q2y0SPYucDDP3msJSQZLhlhrI2 ZuOSZHJptpBCnVCi5LjjMtPW9PhX67rFRj1d5m6U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zekun Shen , Kalle Valo , Sasha Levin Subject: [PATCH 5.13 339/380] ath9k: fix OOB read ar9300_eeprom_restore_internal Date: Thu, 16 Sep 2021 18:01:36 +0200 Message-Id: <20210916155815.566242114@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155803.966362085@linuxfoundation.org> References: <20210916155803.966362085@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zekun Shen [ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index b4885a700296..b0a4ca3559fd 100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c @@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", cptr, code, reference, length, major, minor); if ((!AR_SREV_9485(ah) && length >= 1024) || - (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || + (length > cptr)) { ath_dbg(common, EEPROM, "Skipping bad header\n"); cptr -= COMP_HDR_LEN; continue; -- 2.30.2