Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp2168948pxy;
        Sun, 2 May 2021 13:47:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwNk20xA4C8G7cZQoRuI1whcpgeNImdfAziLzvVaXvCx5432RVTXuqViePriogJY1EOSwmY
X-Received: by 2002:a17:902:e84a:b029:ed:57e5:b223 with SMTP id t10-20020a170902e84ab02900ed57e5b223mr16670276plg.40.1619988475947;
        Sun, 02 May 2021 13:47:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619988475; cv=none;
        d=google.com; s=arc-20160816;
        b=CsudpIGcoxfwP42PNfV3o975mGMLvwDuIOX9mhtjtMz8kwHC/yz84gzke30993wuZw
         cfv4D49E7A5Gb1uutl5RtpWwZZyG2BMtfvknG/FL1SfFicaIXF5eC+TRZG91BsMGuNKa
         slBc0uoS5UWzyKiWNhSBMIQZ6+g7E9ANXNm8vaBPaF9MzrFTjkYSJDiQVRFqAgsdUoXh
         9o5obP88cUWI2XUiATLJqiQ+St8V/lrP6mx8FXO0W66BlviLrkAGbERnWTFcruUyKrw1
         HzjPzAClVLUWEHzHCCEUhCK1ovqmCAXI98q87Aemw50SHtxdwf7xNFqmuAgzWve0TbIU
         PZhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=wyv+AJDBJXfhuMypHrWLPCa+O4wXV6R5dC9sAiCj6jQ=;
        b=dg/1H0OzDQttBkyJ1bn9Ou4hRhBzACp1MHfyDHr4OI/kByQMhUcLvCiaQXFchibCE/
         yCR7bn9CQqFBnvV15a3Toy2t1EmrPBq2WdsVzR1gQZ5ADbeJXmlQD0tBC2JMcqqXsc+H
         dQ3rK8ekw3o81CdIP4eP4ThZDwEhv3++68/l8rVKUYONoiTIG6N04L7jYBLJ/E1nP4BW
         PGJDu+Uzn7mvTNQmN1X13HA/YKTqeypt1oFm1y1VypV6iTc5PpiJ+CouJegLCW+j1mYR
         zdmBx8USE96aZlLvPFJOO58serQx5IQDqTMihgb9L3hDZPl+HDpkmviYrik3dAnwxw9/
         /4kA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@philpotter-co-uk.20150623.gappssmtp.com header.s=20150623 header.b=vRTAnhmL;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id lx6si25109747pjb.138.2021.05.02.13.47.42;
        Sun, 02 May 2021 13:47:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@philpotter-co-uk.20150623.gappssmtp.com header.s=20150623 header.b=vRTAnhmL;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232526AbhEBUsa (ORCPT <rfc822;ceo.teo.en.ming@gmail.com>
        + 99 others); Sun, 2 May 2021 16:48:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44040 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232338AbhEBUsa (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sun, 2 May 2021 16:48:30 -0400
Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0853FC061756
        for <linux-wireless@vger.kernel.org>; Sun,  2 May 2021 13:47:38 -0700 (PDT)
Received: by mail-wm1-x342.google.com with SMTP id y124-20020a1c32820000b029010c93864955so4637584wmy.5
        for <linux-wireless@vger.kernel.org>; Sun, 02 May 2021 13:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=philpotter-co-uk.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=wyv+AJDBJXfhuMypHrWLPCa+O4wXV6R5dC9sAiCj6jQ=;
        b=vRTAnhmLzGTF3e54S3YA4hpD2xQkBbcb4rqSbD7lTazG2v+3IQW0RleaTDBJm7Xdb3
         edcqbawqjf2eE+rBYnk+IO7tShE13i9muy7hlfoKaBVK+f5+qz6TwOTUAksaDLUqWD61
         llW4ytwxccbIvYMa68eoTlJHH3Pq797KE9wPfLYJhnq9+D4O28Bh3iNUpScCfeNxYwbL
         ELdhi+b0kO5av/rRMV/bQpHye9bom4VzPSgTHr4zg0yRVxDmmHJqWjje+vm+AOmugTTA
         kEPkbN1gp918Y/xQIruPBaLO108KLgaQbGd6PlYrDUAsMugh7tNDWQXJLUvVCjybuRCh
         3M4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=wyv+AJDBJXfhuMypHrWLPCa+O4wXV6R5dC9sAiCj6jQ=;
        b=mq59ynvDbtP/HX4X7FCRBa7aQNEgmWw7zBOqRXyzzkp9xhpuYAO3okkmo0lHNeERhc
         lLzXnfCDrB4PAwVYBHUFwcln2bS3D5C7I8PFvR4OPjxM5RQ++aWKkndn5Rzg8dIrOfLW
         dtw0TMCwJ3zryP7hbnn36dbGJlUS6clRlWKPhm1VHS8h2rfF5SQr/Yq0ayOv4x74Qlxt
         PjiXizgcGVgx0syW+uHGg2DBTtTHhFMSLS3Dc3g0m0z5dqN0JiKsZqlmAQF6QHpIJfZ1
         FoXL6ik+dDjCTGTLXzxV6VhTKF7p+okd6EXSfvevy9Hq1Rn8GFebzB6Gd5vRvNhIY5I0
         6gGw==
X-Gm-Message-State: AOAM530LY/wgFHhpwDr/o5JF8P9W/T9wNWxlQCEjZuEL1upa0Wc38CMd
        nXEYTt4jNoXOqV80tOl9GVQWMA==
X-Received: by 2002:a05:600c:220e:: with SMTP id z14mr18315796wml.0.1619988456731;
        Sun, 02 May 2021 13:47:36 -0700 (PDT)
Received: from equinox (2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.1.e.e.d.f.d.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:dfde:e1a0::2])
        by smtp.gmail.com with ESMTPSA id c8sm19286846wmr.48.2021.05.02.13.47.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 02 May 2021 13:47:36 -0700 (PDT)
Date:   Sun, 2 May 2021 21:47:34 +0100
From:   Phillip Potter <phil@philpotter.co.uk>
To:     Florian Westphal <fw@strlen.de>
Cc:     kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ath9k-devel@qca.qualcomm.com
Subject: Re: [PATCH] ath9k: ath9k_htc_rx_msg: return when sk_buff is too small
Message-ID: <YI8P5pp6b87OEoDo@equinox>
References: <20210502202545.1405-1-phil@philpotter.co.uk>
 <20210502202827.GG975@breakpoint.cc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210502202827.GG975@breakpoint.cc>
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Sun, May 02, 2021 at 10:28:27PM +0200, Florian Westphal wrote:
> Phillip Potter <phil@philpotter.co.uk> wrote:
> > At the start of ath9k_htc_rx_msg, we check to see if the skb pointer is
> > valid, but what we don't do is check if it is large enough to contain a
> > valid struct htc_frame_hdr. We should check for this and return, as the
> > buffer is invalid in this case. Fixes a KMSAN-found uninit-value bug
> > reported by syzbot at:
> > https://syzkaller.appspot.com/bug?id=7dccb7d9ad4251df1c49f370607a49e1f09644ee
> > 
> > Reported-by: syzbot+e4534e8c1c382508312c@syzkaller.appspotmail.com
> > Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
> > ---
> >  drivers/net/wireless/ath/ath9k/htc_hst.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> > index 510e61e97dbc..9dbfff7a388e 100644
> > --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> > +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> > @@ -403,7 +403,7 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
> >  	struct htc_endpoint *endpoint;
> >  	__be16 *msg_id;
> >  
> > -	if (!htc_handle || !skb)
> > +	if (!htc_handle || !skb || !pskb_may_pull(skb, sizeof(struct htc_frame_hdr)))
> >  		return;
> 
> This leaks the skb.

Dear Florian,

Thank you, and apologies, I shall resend. Not sure how I missed that.

Regards,
Phil