Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2177768iof;
        Tue, 7 Jun 2022 22:17:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyEdHtYTK0TFfFvtQXTqlSfqMMB0+OGA8Po8a/YF/P7htNlcF5iW6hpWZcNfzzEBSlKFeP8
X-Received: by 2002:a63:8641:0:b0:3fd:94e8:a650 with SMTP id x62-20020a638641000000b003fd94e8a650mr14818595pgd.367.1654665467727;
        Tue, 07 Jun 2022 22:17:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654665467; cv=none;
        d=google.com; s=arc-20160816;
        b=NEQK3I2nCX7YGIGCvO0YiGyGTPTWbdhp+4b/HY+hf4/o3fUU04KrGLJFpDu4GrmP8g
         HmQdDY6WcqRj37oAapOaNU86A6/x9t+aIs/AP97pV5bf6bxcvGZq5CPK3hRLEW+QgM9f
         Ek7SW8QPQALkfvCxODie4toODNvW3MjkB1p9mmwG6GB/0fozC69o/ahJ23aAUZqSsOvi
         0JOIPeTIGJUrYUResdbhSLTwv3a0+qtm4ClaY74Nom86AX5OKNC92/9GmsCJOd9X2Vde
         QyzYU9AKsXEd4oReHHYIxZE4rZ7ulUbMtWtpLnxY3GKdhdztkpXyds3PhyCHUWjZ95jh
         VHJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=AqGLUP5h1uzNv+vkN6uE8sJIE+2G3pnrff8DY1+0O6A=;
        b=WaWbDY+cgvr5it4JxC7F/WAJDn9J1MKjGuK0gjTxMc+BLE+pBM5qFS43OGjJhZw4Me
         WcvoPmaBfslhS3Q5VHYeLKakS6UgK9muADlB3wX2HAWKaU4/sYFUX+4RYZXuk8T9M4sI
         qcq5QEphbeLr+1M+lavpRARHsWLLHqy400QqVuFwytGwH9sR0zaK4i+xIKSGCEuSDLB4
         CRVojt7cpRNhOhyNsR9m7kO2Foh1HV2NuxqRp32VeW7LP/exJx38lYozB5IRrBFniZpx
         XINdHv5N8MTo02Wo0X++TtP+0Q+CF7RV2BNCaa2UMOy/VZt+W7eP3Gm64TC/aJ6HW6As
         mRDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="DA/tqeg7";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id ja20-20020a170902efd400b0016153e8acc9si23810089plb.607.2022.06.07.22.17.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 22:17:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="DA/tqeg7";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8DC2148A282;
	Tue,  7 Jun 2022 21:57:18 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1349390AbiFGWha (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Tue, 7 Jun 2022 18:37:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42204 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1378753AbiFGVX4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 17:23:56 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 215EF227CD0;
        Tue,  7 Jun 2022 12:01:01 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 9C66CB82399;
        Tue,  7 Jun 2022 19:01:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB705C385A5;
        Tue,  7 Jun 2022 19:00:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654628459;
        bh=nJKABFV7L4RLPvBO5QH7DR8OColWYo8kBeH2aJhbCnU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=DA/tqeg70Hs78LKpyAzy8D8TITYv6ApEobCGvXIEqtWB/XkZsL9diVfdvjaaeU26H
         9RWbWNfKLhzpy7Ri7Clh/rIcv8eOAGjyq63IF7JNirSKw1z0W8zobi4S2T0ikDVKEo
         U0lRK36v07EiPlKicsmohrg80HBQkFmPQh3RRg8k=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>,
        Kalle Valo <quic_kvalo@quicinc.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.18 338/879] ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
Date:   Tue,  7 Jun 2022 18:57:36 +0200
Message-Id: <20220607165012.669140851@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607165002.659942637@linuxfoundation.org>
References: <20220607165002.659942637@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ]

The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to
ensure that it is within the bitmap.

drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()
error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'

Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220409061225.GA5447@kili
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 6a850a0bfa8a..a23eaca0326d 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -1016,6 +1016,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
 		goto rx_next;
 	}
 
+	if (rxstatus->rs_keyix >= ATH_KEYMAX &&
+	    rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) {
+		ath_dbg(common, ANY,
+			"Invalid keyix, dropping (keyix: %d)\n",
+			rxstatus->rs_keyix);
+		goto rx_next;
+	}
+
 	/* Get the RX status information */
 
 	memset(rx_status, 0, sizeof(struct ieee80211_rx_status));
-- 
2.35.1