Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2349257pxb; Mon, 20 Sep 2021 19:42:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyju1wbdOhInHR0O1C9bNuaBhOLiqSEWjaGbZUProC+s5r6FhrnzMRPhWbghC5FjbkE7Erf X-Received: by 2002:a5d:8048:: with SMTP id b8mr1105826ior.84.1632192162656; Mon, 20 Sep 2021 19:42:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192162; cv=none; d=google.com; s=arc-20160816; b=g/ciYwWKjfXoNc9tU0Xj3lTwtHtVFqLOeVmtUTXu1GcgMz5WsdmohOeXB1uLycA8Lq 02yuKP2GzjzYHrtuR3Lrzd/3MsHy37/lEm6vLeSqzTubB1PjxYqWErI66BGT5V0uqmJd CRwAUApL09mixmfjlQ4eiXkzY1ts7FvxLx7N48UIKuDWSqZqKnfIb8wxwV9XKNkWewCd 5TmevuOOztoZubLc2Rn5x3w+GpNcXVxVH9a0fvDYotQ+xkBxJ6hprTeEKvZe0vBQ3BpH iWp8evfMY01mW5HiLFLeSzNzsRZ+1Uofuabxefjhzo1ZDWWG//FO3qxpJOODL1GF7l1G Q/dA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cMgiVx/sstbCqEpd6xe062p7DAQJZ7wZj2XgFPEzbWw=; b=ghH69YeTV4CWiqctCuaSSAaHmGqvzV2FsE1sAmoQp7aUl89UqX1uUVp3vvW/Rn04is bUFRBNhy8cVRT10JLEm8LNyHURIYkQu4g6VHjxbFNwKcL+8oHNE13rkx9B5aJ6NpQWqC 9eF3BBkZyyz5EFR5sQ2jCMticT9mr2AsmH5A/zpfwF3C1FIZYMGlGmNpHyRY++FIfwYy 19Wjyoq+hhyh3NbcRPR5q2DYSXRNgbfC+LHG/fjKz7zeMTgxfU5Z/UldWhPeoKz/Z5Sz 75LI3X5gEPVu6YDTzLpiq+vGMGxbHzFC1AdKJtC57jQTEolj9czQfyhL0ZAXWuLqZTS0 VMwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Z03EOA3+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c17si16975279jam.29.2021.09.20.19.42.31; Mon, 20 Sep 2021 19:42:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Z03EOA3+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351803AbhITSTn (ORCPT + 99 others); Mon, 20 Sep 2021 14:19:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:35758 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350559AbhITSMt (ORCPT ); Mon, 20 Sep 2021 14:12:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4BFEF63284; Mon, 20 Sep 2021 17:21:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632158464; bh=Uh4gAPJjL7EvxAYvjfESQ3h7Yip6zR0rBwfOQmMswjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z03EOA3+g1Lmnn+csFwh9//Jjrl3k4os2JZN9x8kWtoKnsqvz9VtgoTghiGyPDxHx UQWpVGtUJligqsFYhN/SzAsLcj8+scTLqEMmpdI6TooonTTRUmkcT/Rp+SZqRp4QWb B2Np+dh91QJSjIH2/xdxAG5aSApEa4vxlJ0Omykw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zekun Shen , Kalle Valo , Sasha Levin Subject: [PATCH 5.4 169/260] ath9k: fix OOB read ar9300_eeprom_restore_internal Date: Mon, 20 Sep 2021 18:43:07 +0200 Message-Id: <20210920163936.829836379@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163931.123590023@linuxfoundation.org> References: <20210920163931.123590023@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zekun Shen [ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index b4885a700296..b0a4ca3559fd 100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c @@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", cptr, code, reference, length, major, minor); if ((!AR_SREV_9485(ah) && length >= 1024) || - (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || + (length > cptr)) { ath_dbg(common, EEPROM, "Skipping bad header\n"); cptr -= COMP_HDR_LEN; continue; -- 2.30.2