Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp2160609pxy;
        Sun, 2 May 2021 13:30:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzR8lCq8DWmUFqxcjwQFndrH6aLdrEuItBjhQ7h6p0X1ldKD724g2S8OFFGFEYocvLGS8XB
X-Received: by 2002:a63:a511:: with SMTP id n17mr13686884pgf.9.1619987404107;
        Sun, 02 May 2021 13:30:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619987404; cv=none;
        d=google.com; s=arc-20160816;
        b=NbQ8Tc6VKV5tH7WvORNJMZGYG0NY9QIcvtlgNELWLdgvtXXVGQ6WNLrLC4hmp5z8SQ
         ZNUMkrG7lvAYgnNH55GsEu9nHxvYSGQOn6+0Ga566ojsx7qnNCHlpI8jXRNxz5l8jSuq
         elcZzMai8fZVwR+AC3G/JxJAeM4aYB6NPb1rrIRBvwIQZLKTPPTi8z54siV0W77qbRuN
         e4N1czJbz2ksaWG/gZA1530RF2Yde3VbGhsjKWGpbEOS4vvbtuBcjvBkVvIP0xZSlBBc
         7LNllsud8UGFwYFGywbBmzq3kIEKdx50PKOMnMeN3UwL0yiHllWmcvuL2lRPTqMtIzUV
         EVfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=cgN/XslMOWj+XPPYleRt87kYgEOiTPAWJfNuFheTQtU=;
        b=1LqPCPaXm8ftkF4Q0QwrVPXqTuBrj8aeOxYn7UtrAteeDvE9/Av701ah/D0dd0djJF
         iF3wEegeJPCBcXwU2dlciFs6EdHsf5FDltcTHfanTKLZbzGR80UmL3v8qya3jinoG9Zh
         rXf0GPuLd96TJ1Nf+og9Xk+6S0OGATDBcvroYBICqhn+f2eDfkvrNffxAQ5vJSmQdGAv
         xUQmVTcleIxLhf5YybHTQWNILJevcw9tKGSgEmkOmHQdLzuQA4CD1YV2WtCPberldFc8
         lk5hV5c2cULxdZqid9LJVgANVOY8C5o3Viqh9KoCr4WrApPtLmI0MTouBU9ymYnlxrTu
         kOBA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z67si7221190pfc.287.2021.05.02.13.29.38;
        Sun, 02 May 2021 13:30:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232526AbhEBU3a (ORCPT <rfc822;ceo.teo.en.ming@gmail.com>
        + 99 others); Sun, 2 May 2021 16:29:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39902 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232374AbhEBU3a (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sun, 2 May 2021 16:29:30 -0400
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59627C06174A;
        Sun,  2 May 2021 13:28:38 -0700 (PDT)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
        (envelope-from <fw@strlen.de>)
        id 1ldIhX-000260-Ah; Sun, 02 May 2021 22:28:27 +0200
Date:   Sun, 2 May 2021 22:28:27 +0200
From:   Florian Westphal <fw@strlen.de>
To:     Phillip Potter <phil@philpotter.co.uk>
Cc:     kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ath9k-devel@qca.qualcomm.com
Subject: Re: [PATCH] ath9k: ath9k_htc_rx_msg: return when sk_buff is too small
Message-ID: <20210502202827.GG975@breakpoint.cc>
References: <20210502202545.1405-1-phil@philpotter.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210502202545.1405-1-phil@philpotter.co.uk>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Phillip Potter <phil@philpotter.co.uk> wrote:
> At the start of ath9k_htc_rx_msg, we check to see if the skb pointer is
> valid, but what we don't do is check if it is large enough to contain a
> valid struct htc_frame_hdr. We should check for this and return, as the
> buffer is invalid in this case. Fixes a KMSAN-found uninit-value bug
> reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=7dccb7d9ad4251df1c49f370607a49e1f09644ee
> 
> Reported-by: syzbot+e4534e8c1c382508312c@syzkaller.appspotmail.com
> Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
> ---
>  drivers/net/wireless/ath/ath9k/htc_hst.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> index 510e61e97dbc..9dbfff7a388e 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> @@ -403,7 +403,7 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
>  	struct htc_endpoint *endpoint;
>  	__be16 *msg_id;
>  
> -	if (!htc_handle || !skb)
> +	if (!htc_handle || !skb || !pskb_may_pull(skb, sizeof(struct htc_frame_hdr)))
>  		return;

This leaks the skb.