Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp513210pxb; Thu, 9 Sep 2021 06:12:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHPEqWEEheRoDp2ucdcNrJw95YwrQK8317C8h3G4Y1vgM5Kqr6eCde5YeAgPEC4kGqIGKY X-Received: by 2002:a05:6e02:5c8:: with SMTP id l8mr2386748ils.282.1631193139079; Thu, 09 Sep 2021 06:12:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631193139; cv=none; d=google.com; s=arc-20160816; b=dXNBUQ4bnjWVmtjZGMuYNFell6h9MB0gPsqxXEw3Nxb/O0qQArz0fP4hnAYKVoSicn 98Qpmf30nt6atjHsJ5+fxNZZ2Z+TpZgurc7azF+fwoumQOz0MJkiTE6UxlUB473UUvKB oUSvTPBSTiocFw9sIju53indd6DtaLeUeDQTcID+vRMtb+2n4yu4eooVTOG8wVZTtNap yIqQ++hwMr2Ay0rjEGKRh/aaPxrEahboEaxdcai3LkAXiYFBDUgzmsqHSDBWyWMgU8N+ P2mPuLfGuUOx5h1dnYSzamV/TtiJsv3SAooEbSLu7C1ItmbdlA2TJDAFk4nt5ya721Ot G3wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CZ8LEMGsZIudC+Oteu7D7wgfv/V9odPAjdH5rcKWt3w=; b=FJ7ebdbC3/++NzaFJWoMASL2CODD1K3P71OY6WiMh1A2pKNWaGhEyASOUxr2DAbJyd c8/kp7X64yT4lQKuFf25xanQSfOGKfe8/ol3JAguyUJx05icjW0Wfhlbkhgh8Xri3xgv 4fL1SZNIVEGvjjCMNudoRxex9bMxglulyvWk4uInalT8EfwJlPvB+NpGcvuJyyxglEtw BhWH6Q0I//DaT7xxV3/Pk3YXu5D3QFz1f38FGayVGCglqp5zF48YM01J0v8f2fpq9oYN sGwVPnVS0XG6EsTxEZv8zh1jjaNucOujGTeNXbRk7MNSOq8UemRDUzXKBNRsCwuMXJKx edwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fgfGUzbD; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t22si1783257iom.43.2021.09.09.06.12.03; Thu, 09 Sep 2021 06:12:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fgfGUzbD; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358986AbhIINLk (ORCPT + 99 others); Thu, 9 Sep 2021 09:11:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:53486 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357891AbhIINFS (ORCPT ); Thu, 9 Sep 2021 09:05:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 59731632A5; Thu, 9 Sep 2021 12:00:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631188811; bh=T/rhwYZkhyW9upUip2c7nRlGEMpA7f+b+5qETvMIk5Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fgfGUzbDy6ZoCImts90pr4ipW589QZoptYawgxqAqiXwIuccUNkvi2fAEDJXsYq1x LxCk0Xppn2MNL9sxRBtYddDZbljlBGVGLRRDAg/Vrg7Mr2RGGWBgChUatNyLLY4wHY gV3IlCjPM8Fd4qSG0UfCnvZfkBfLXpr1YvUjQc1i3m4OxznGLFcQlctxqEmI4HzaRO YNqtKvhJy8PY+U+e+GeGotMRoESzMEALmTPM3sIPLo6s63S54T1tCjTCBfj7Xtb+Gp 2W72elk4vsvdscqPSRczjeWY28XIUHXPue/De0Vj8LcUFWevvSwNMGqbIaF4o97ubo 413yUM0iapnJA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Zekun Shen , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.14 56/59] ath9k: fix OOB read ar9300_eeprom_restore_internal Date: Thu, 9 Sep 2021 07:58:57 -0400 Message-Id: <20210909115900.149795-56-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210909115900.149795-1-sashal@kernel.org> References: <20210909115900.149795-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Zekun Shen [ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index 76385834a7de..694a58b1e995 100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c @@ -3346,7 +3346,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", cptr, code, reference, length, major, minor); if ((!AR_SREV_9485(ah) && length >= 1024) || - (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || + (length > cptr)) { ath_dbg(common, EEPROM, "Skipping bad header\n"); cptr -= COMP_HDR_LEN; continue; -- 2.30.2