Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp134470rwd; Sat, 13 May 2023 14:50:18 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4jQSsMGa7y/jobULQmKuRYRo2Z1DdsajLyy0dgkeStIfSUrBRNbbYrvFm0UVzbGn9jwH7W X-Received: by 2002:a05:6a00:16d3:b0:63d:3f74:9df7 with SMTP id l19-20020a056a0016d300b0063d3f749df7mr34452810pfc.34.1684014617964; Sat, 13 May 2023 14:50:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684014617; cv=none; d=google.com; s=arc-20160816; b=yaBbarrwg9ytVdKA/JtnBq27kbeIOE8YvUSCUVRK0+LSqeQQQgBLQQWW2hWsheQP9c 0HFqvp1Bu8KO8uv32WpGa66jouYz9TCG7OncG12CiB7MocrB1TPt0vUu6yHIUXY2x3Kb 7BI6k9zdpPEejFuJCSKRcKrSDzZp7eM50xviESTeHaDEW+AazlBNVntsDIKoPDpALF8q 0ooyL39ZmiW9CIcN+v9G8j0IBJ/FXwDqWp57zohAkKl3xzSHRBOAIS1Xfgu4Jk5dVWSP CaW01K2VNO5dLwqX2tIGOruAIkXHo2TwhHRmZR3WhrVQhFtO1n3hhGLkX+36qhVj3whW wEeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-filter; bh=h5VwOgu4Ms78MtO1SJ+EbrnBbcjgQHHWiMcv59ZFSQs=; b=z2NG9zHDAERpoKbQKHW/Dh0/IQvvsG6xWh8RJ4fuMex/4ynyZjWNKMls7cBzBxxTi/ hZZsxmaySrhQxJm0aouHU8Byv9op7yLR9V028FRRTuh1YJBKqdp9sbkyIcgziDjtljGZ DqpeQlw961V4dqMeyEXS1Fwqxg9gRu0QDRfriO1xKhbaz9SzJ9tDKSI1zZSzWlLDg4Ne tmQ64VQDqTwLVipY6SdBMe+2A5j5qn5HwKJQLA+jUNrKcXmegnn5FwdXrv5nOdp05t1a 5HW1s47xDTZQM0WYQhvmAj+PAl+9iUmTnQu9Zcjw/NuxDQFXn7ZImEvdb1p+3/C53Y23 d++A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=n54qSLzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n127-20020a632785000000b005321c340960si1212710pgn.811.2023.05.13.14.50.03; Sat, 13 May 2023 14:50:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=n54qSLzE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230430AbjEMVM2 (ORCPT + 99 others); Sat, 13 May 2023 17:12:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbjEMVM0 (ORCPT ); Sat, 13 May 2023 17:12:26 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A9B61997; Sat, 13 May 2023 14:12:25 -0700 (PDT) Received: from fpc (unknown [10.10.165.8]) by mail.ispras.ru (Postfix) with ESMTPSA id 8D4FF44C100C; Sat, 13 May 2023 21:12:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 8D4FF44C100C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1684012341; bh=h5VwOgu4Ms78MtO1SJ+EbrnBbcjgQHHWiMcv59ZFSQs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=n54qSLzEKR06mgSWFz9DOGBBEfBdAxzLrb0WYa8XCQDbRx1opF5RTbluQWabw/lyl kyoa3nrgWVUGKCW9fhG0zEYfmxaUcHDKVYadkp1N5a0lk0qoENgaQHq5PENP2Yi9Eo LbsgEUap0NBvo18y5yo3n9KyoA4i000wfnm36jM4= Date: Sun, 14 May 2023 00:12:14 +0300 From: Fedor Pchelkin To: Takeshi Misawa , Kalle Valo Cc: linux-wireless@vger.kernel.org, Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= , Sujith , Vasanthakumar Thiagarajan , Senthil Balasubramanian , "John W. Linville" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: Re: [PATCH] wifi: ath9k: Fix memory leak in htc_connect_service Message-ID: <20230513211214.qtr7yejodbubjbyd@fpc> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Sat, May 06, 2023 at 02:26:20PM +0900, Takeshi Misawa wrote: > Timeout occurs in htc_connect_service(), then this function returns > without freeing skb. > > Fix this by going to err path. This will lead to UAF [1]. If a timeout occurs, htc_connect_service() returns with error but it is possible that a belated callback will touch the already freed SKB. It is actually a callback's responsibilty to free the buffer. The callback is ath9k_htc_txcompletion_cb(). As the urb is submitted, callback should be always executed, otherwise there is an error in usb core, not ath9k. So the problem lies in somewhat another place. htc_connect_service() issues service connection requests via control ENDPOINT0. Its pipe_ids are configured in ath9k_htc_hw_alloc(): /* Assign control endpoint pipe IDs */ endpoint = &target->endpoint[ENDPOINT0]; endpoint->ul_pipeid = hif->control_ul_pipe; endpoint->dl_pipeid = hif->control_dl_pipe; ul_pipe is USB_REG_OUT_PIPE and service connection requests should go that way. However, the reproducer managed to issue the WMI_CMD and Beacon requests via USB_REG_OUT_PIPE, but the third one was issued via USB_WLAN_TX_PIPE. As it went on the wrong way, the SKB simply got lost in __hif_usb_tx() as the special conditions weren't satisfied. Somehow the ENDPOINT0 ul_pipeid has unexpectedly changed... Well, it is htc_process_conn_rsp() which received a badly constructed "service connection reply" from a bad USB device: the endpoint which attributes were to be changed pointed to ENDPOINT0 which should never happen with healthy firmware. But ENDPOINT0 pipeid attributes were changed, so the next service conn requests went on the wrong path. The fix seems to be that htc_process_conn_rsp() should immediately return if the received endpoint which is to be connected to a new service is ENDPOINT0. [1]: https://lore.kernel.org/linux-wireless/20200404041838.10426-2-hqjagain@gmail.com/ > > syzbot report: > BUG: memory leak > unreferenced object 0xffff88810a980800 (size 240): > comm "kworker/1:1", pid 24, jiffies 4294947427 (age 16.220s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] __alloc_skb+0x206/0x270 net/core/skbuff.c:552 > [] alloc_skb include/linux/skbuff.h:1270 [inline] > [] htc_connect_service+0x121/0x230 drivers/net/wireless/ath/ath9k/htc_hst.c:259 > [] ath9k_htc_connect_svc drivers/net/wireless/ath/ath9k/htc_drv_init.c:137 [inline] > [] ath9k_init_htc_services.constprop.0+0xe5/0x390 drivers/net/wireless/ath/ath9k/htc_drv_init.c:157 > [] ath9k_htc_probe_device+0xf7/0x8a0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959 > [] ath9k_htc_hw_init+0x35/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:521 > [] ath9k_hif_usb_firmware_cb+0xcd/0x1f0 drivers/net/wireless/ath/ath9k/hif_usb.c:1243 > [] request_firmware_work_func+0x4b/0x90 drivers/base/firmware_loader/main.c:1107 > [] process_one_work+0x2ba/0x5f0 kernel/workqueue.c:2289 > [] worker_thread+0x5d/0x5b0 kernel/workqueue.c:2436 > [] kthread+0x129/0x170 kernel/kthread.c:376 > [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 > > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") > Link: https://syzkaller.appspot.com/bug?id=fbf138952d6c1115ba7d797cf7d56f6935184e3f > Reported-and-tested-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com > Signed-off-by: Takeshi Misawa > --- > drivers/net/wireless/ath/ath9k/htc_hst.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c > index ca05b07a45e6..6878da6d15b4 100644 > --- a/drivers/net/wireless/ath/ath9k/htc_hst.c > +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c > @@ -285,7 +285,8 @@ int htc_connect_service(struct htc_target *target, > if (!time_left) { > dev_err(target->dev, "Service connection timeout for: %d\n", > service_connreq->service_id); > - return -ETIMEDOUT; > + ret = -ETIMEDOUT; > + goto err; > } > > *conn_rsp_epid = target->conn_rsp_epid; > -- > 2.39.2 >