Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2177768iof; Tue, 7 Jun 2022 22:17:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEdHtYTK0TFfFvtQXTqlSfqMMB0+OGA8Po8a/YF/P7htNlcF5iW6hpWZcNfzzEBSlKFeP8 X-Received: by 2002:a63:8641:0:b0:3fd:94e8:a650 with SMTP id x62-20020a638641000000b003fd94e8a650mr14818595pgd.367.1654665467727; Tue, 07 Jun 2022 22:17:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654665467; cv=none; d=google.com; s=arc-20160816; b=NEQK3I2nCX7YGIGCvO0YiGyGTPTWbdhp+4b/HY+hf4/o3fUU04KrGLJFpDu4GrmP8g HmQdDY6WcqRj37oAapOaNU86A6/x9t+aIs/AP97pV5bf6bxcvGZq5CPK3hRLEW+QgM9f Ek7SW8QPQALkfvCxODie4toODNvW3MjkB1p9mmwG6GB/0fozC69o/ahJ23aAUZqSsOvi 0JOIPeTIGJUrYUResdbhSLTwv3a0+qtm4ClaY74Nom86AX5OKNC92/9GmsCJOd9X2Vde QyzYU9AKsXEd4oReHHYIxZE4rZ7ulUbMtWtpLnxY3GKdhdztkpXyds3PhyCHUWjZ95jh VHJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AqGLUP5h1uzNv+vkN6uE8sJIE+2G3pnrff8DY1+0O6A=; b=WaWbDY+cgvr5it4JxC7F/WAJDn9J1MKjGuK0gjTxMc+BLE+pBM5qFS43OGjJhZw4Me WcvoPmaBfslhS3Q5VHYeLKakS6UgK9muADlB3wX2HAWKaU4/sYFUX+4RYZXuk8T9M4sI qcq5QEphbeLr+1M+lavpRARHsWLLHqy400QqVuFwytGwH9sR0zaK4i+xIKSGCEuSDLB4 CRVojt7cpRNhOhyNsR9m7kO2Foh1HV2NuxqRp32VeW7LP/exJx38lYozB5IRrBFniZpx XINdHv5N8MTo02Wo0X++TtP+0Q+CF7RV2BNCaa2UMOy/VZt+W7eP3Gm64TC/aJ6HW6As mRDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="DA/tqeg7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id ja20-20020a170902efd400b0016153e8acc9si23810089plb.607.2022.06.07.22.17.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 22:17:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="DA/tqeg7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8DC2148A282; Tue, 7 Jun 2022 21:57:18 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349390AbiFGWha (ORCPT + 99 others); Tue, 7 Jun 2022 18:37:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1378753AbiFGVX4 (ORCPT ); Tue, 7 Jun 2022 17:23:56 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 215EF227CD0; Tue, 7 Jun 2022 12:01:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9C66CB82399; Tue, 7 Jun 2022 19:01:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB705C385A5; Tue, 7 Jun 2022 19:00:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654628459; bh=nJKABFV7L4RLPvBO5QH7DR8OColWYo8kBeH2aJhbCnU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DA/tqeg70Hs78LKpyAzy8D8TITYv6ApEobCGvXIEqtWB/XkZsL9diVfdvjaaeU26H 9RWbWNfKLhzpy7Ri7Clh/rIcv8eOAGjyq63IF7JNirSKw1z0W8zobi4S2T0ikDVKEo U0lRK36v07EiPlKicsmohrg80HBQkFmPQh3RRg8k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo , Sasha Levin Subject: [PATCH 5.18 338/879] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix Date: Tue, 7 Jun 2022 18:57:36 +0200 Message-Id: <20220607165012.669140851@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ] The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to ensure that it is within the bitmap. drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept() error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()' Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept") Signed-off-by: Dan Carpenter Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220409061225.GA5447@kili Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c index 6a850a0bfa8a..a23eaca0326d 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c @@ -1016,6 +1016,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, goto rx_next; } + if (rxstatus->rs_keyix >= ATH_KEYMAX && + rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) { + ath_dbg(common, ANY, + "Invalid keyix, dropping (keyix: %d)\n", + rxstatus->rs_keyix); + goto rx_next; + } + /* Get the RX status information */ memset(rx_status, 0, sizeof(struct ieee80211_rx_status)); -- 2.35.1