Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3602180pxb; Mon, 24 Jan 2022 13:16:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+QsDWkotb/IIACcfwLNZWcFRsbApPtPUMaA8yDYKqI1ijkr12j134csDvtsvzko51oeKz X-Received: by 2002:a63:8c49:: with SMTP id q9mr12904473pgn.425.1643058837162; Mon, 24 Jan 2022 13:13:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643058837; cv=none; d=google.com; s=arc-20160816; b=OiQog6Ns+cqJezCpi21s67QpUnxFOBM8IHTy5ctC2jIHk43hp9RXHcWslcCHi99lMl u+13feCNKYGCIvw5OU4qh9X6qByCNZ/6LVsdZtzjEZ15vaItouX2osAq9NJA8BWuowLz 3f8//Bji0QDV1+Qji6F3NDmzLgZDcddWBzHligWV/fJGT46T+dqJFTCAhifXxK2rRg0m 90JJokcoMxC6L5ymvzAD9XGZ8u6te2neNYkSzVZfJ96O3//7dqBz9M2nu0sEDxF8Gtnz 5qPnq8CajOzwVseUXxt61vinVBpfpZb827lx6cnErrCRw5FWKinuffyqS5aADQXmyb25 U1vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2opN/+6BK6LXbc/WPDdCLkUpzn1Csp7a3InSkXUs0jg=; b=iRJIY2SlgzQBUWvpOVB7SKlpDtWof+LPNYt3IL6+wNqbeNkGD20rgu6MVJXQ7/VSAD oCxVaIqFSmGCxq+l8hacE2WbL4jNWGD3J68OhpKtHKlgUOpAoXv35NzDJNu0c/2ujs/M jG3gHOQCpP6PA9qT/LuuUJsQ7mZT6TshQwS70bNHtikUQ3r1GilZ/1y0dErlij0vT2QQ +IImssLQreP064N8RINk4GRsaFcrEIyp7VH96DIFvyk+bzR7toJWs4uT17e9SzM4FEt3 4Cwt+yYM/5wqN5vx+3yFRHrPMyFYe5VoLf5ASoOFi5oEm8OAi2LO6uuSD5b2C6iAGs5L GZAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zOg5ghPi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z17si3966980plg.464.2022.01.24.13.13.44; Mon, 24 Jan 2022 13:13:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zOg5ghPi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1387334AbiAXUgq (ORCPT + 99 others); Mon, 24 Jan 2022 15:36:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355210AbiAXUNW (ORCPT ); Mon, 24 Jan 2022 15:13:22 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64FABC01D7C6; Mon, 24 Jan 2022 11:34:29 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 20793B811F9; Mon, 24 Jan 2022 19:34:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 484C7C340E7; Mon, 24 Jan 2022 19:34:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643052866; bh=Y61sEYe89JMN62S2d5pSk0ZMtlqtnSfDmA0d2mMjqnQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zOg5ghPi9P++ZIlF8nhfI1ZR/btNuxv0YTTR5CyW5RB9JmtV+YUnSTjN4O/+qr76u XS2WuZsh6lEqKziDIdUbZZfTmxxk+mlEpc+d0JjlypUMTrXlWM7w0Iepb2OZ8JXeAb K4If8OPKznMWKEviLAm2IOkOoDWzdD6ecuCh4Eeg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zekun Shen , Kalle Valo , Sasha Levin Subject: [PATCH 5.4 198/320] ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream Date: Mon, 24 Jan 2022 19:43:02 +0100 Message-Id: <20220124184000.365790613@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zekun Shen [ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ] Large pkt_len can lead to out-out-bound memcpy. Current ath9k_hif_usb_rx_stream allows combining the content of two urb inputs to one pkt. The first input can indicate the size of the pkt. Any remaining size is saved in hif_dev->rx_remain_len. While processing the next input, memcpy is used with rx_remain_len. 4-byte pkt_len can go up to 0xffff, while a single input is 0x4000 maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE. BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] __kasan_report.cold+0x37/0x7c ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] kasan_report+0xe/0x20 check_memory_region+0x15a/0x1d0 memcpy+0x20/0x50 ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] ? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __usb_unanchor_urb+0x12f/0x210 __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __hrtimer_run_queues+0x316/0x740 ? __usb_hcd_giveback_urb+0x380/0x380 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 irq_exit+0x114/0x140 smp_apic_timer_interrupt+0xde/0x380 apic_timer_interrupt+0xf/0x20 I found the bug using a custome USBFuzz port. It's a research work to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, providing hand-crafted usb descriptors to QEMU. After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU emulation, I found the KASAN report. The bug is triggerable whenever pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes to test the driver works when applying the patch. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 2ed98aaed6fb5..c8c7afe0e343e 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -590,6 +590,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, return; } + if (pkt_len > 2 * MAX_RX_BUF_SIZE) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); + RX_STAT_INC(skb_dropped); + return; + } + pad_len = 4 - (pkt_len & 0x3); if (pad_len == 4) pad_len = 0; -- 2.34.1