Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp476464pxb; Thu, 9 Sep 2021 05:26:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyReP32KIeMRVxArme2ECpADRPpANWZkQyVQ3joFeoXEk/m2CjKn2N/goyUXPozlPSfY6HC X-Received: by 2002:a05:6402:c90:: with SMTP id cm16mr2947486edb.170.1631190407162; Thu, 09 Sep 2021 05:26:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631190407; cv=none; d=google.com; s=arc-20160816; b=g0i91rhWGUQSKQegfir+5gFYllciR8pNYmi2XLnehO9OSCeoE95faGuFcqyrnGH/oI UITXJmpLkNkCNvfwxfUGuZD1Wkz7kiqeIdAe3OkkXg3FxXvzRbrn86Iy4J9BVpXS/SVK k7/NC+kOVy/2PCyGPqWbGOSrXR8JmXUtQRismvdDInxeAlM7Swjw52CwKTE4w1NUY3JQ iEa3QpRE7/GpEMvFPwx5CHyLB47t7KPVcpxD7BXbfSNEqP0dHhTny0DyhbreZNRt1KeQ /FYJgYdMZ6Tyx3BdOzmWFkceeNN5Fp/BEX7g39NCJUSTbzdl+/wCoHR8jzA+yRRuVYk1 6m5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=cMgiVx/sstbCqEpd6xe062p7DAQJZ7wZj2XgFPEzbWw=; b=jM7MCvEmBOWKQZg4DYOipj4xqy/7aJ7JoSWFX9THSygQo7ljffrP3KLv0ZRxyQZuAS 2vMNDP7Cb9C44PP/XV+uuu4hdwhLAskjnbH5kpBML8YHnS2Zcfkenteo7e3lUGcFejSb 1ZdWCGUChO6VfTXCtdIXFKKgjmuaaauIgUyuI6NH5gFTpekkxN2KDA94za9l4WDJVpzl XvWJstPPsyGDPULkO+uYDUjDQOKj6RDmZ22tIrNnWlNIOnqvcxVgChsPJr4483By4s7R dv04TV1PysuH47BPonpvuftMzUjolX1Xm42cSP/InfLMCToZsmyTf4CrkPgK0EmxRSI+ tFdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pYrC8L9h; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id aq7si1828895ejc.75.2021.09.09.05.26.21; Thu, 09 Sep 2021 05:26:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pYrC8L9h; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352802AbhIIM0V (ORCPT + 99 others); Thu, 9 Sep 2021 08:26:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:33430 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351087AbhIIMW4 (ORCPT ); Thu, 9 Sep 2021 08:22:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9F8B961ABD; Thu, 9 Sep 2021 11:51:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631188270; bh=Uh4gAPJjL7EvxAYvjfESQ3h7Yip6zR0rBwfOQmMswjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pYrC8L9h3qa3NnnyicPKd8kIFUm9YpDcf5LZDkY9gE5NtKGRvttZlidxvxBByxxqj UjxaugT1RCLtxGWzor/kPYK6mwS43U7ALHBIN6ckzhWJBD3Vk79tUtXrH1RrkPmsli WcI9yazVBcLH/4iwCxTuAQW5ix5DgNecMnBJBRQkjLUrF0PtPkt8o5PDRJp0j8hW4w z5vJxpxCph/XuIcf4R5PkQqh6P/cbnbxWCRuvZielP1UbXTOVW72dskfgFGp6rTcBI ng26EJV/1t89OLAeuKHx+y1ENhq9HRVrCsaM9p0STSP8edk7KWKDqBS9HFyxBsDm0M RX63kHsLE6bcA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Zekun Shen , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 214/219] ath9k: fix OOB read ar9300_eeprom_restore_internal Date: Thu, 9 Sep 2021 07:46:30 -0400 Message-Id: <20210909114635.143983-214-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210909114635.143983-1-sashal@kernel.org> References: <20210909114635.143983-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Zekun Shen [ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index b4885a700296..b0a4ca3559fd 100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c @@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", cptr, code, reference, length, major, minor); if ((!AR_SREV_9485(ah) && length >= 1024) || - (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || + (length > cptr)) { ath_dbg(common, EEPROM, "Skipping bad header\n"); cptr -= COMP_HDR_LEN; continue; -- 2.30.2