Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3857069rwb; Tue, 16 Aug 2022 09:52:33 -0700 (PDT) X-Google-Smtp-Source: AA6agR70ppDnHjMw7SyZPLEvXW99jrQeHEk+bYA6RVfNsFmbFv40TEDwgo5Hv9jDt71Kh85Bq+Dx X-Received: by 2002:a17:903:22c1:b0:16f:3d1:f5c with SMTP id y1-20020a17090322c100b0016f03d10f5cmr22724769plg.155.1660668752998; Tue, 16 Aug 2022 09:52:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660668752; cv=none; d=google.com; s=arc-20160816; b=0ODqFkEcyvZqFBg2z+GPNLpQ6i9ptyC6YG9rCnZE+/jS/LwQZ2WGxCl1xPnPjVxYTO UeScx42Acav4U9HrMlPMhnvBcwAPrLoM/y37tfAszfy9+1+AXeKuWOvaysDE/ZXKtHKY v6Ew346OPDYUmdfY1sTNpbpFX9OBdHW2Kz8v3K+p2YLb+xWkyQsFYcMYH1L2Ssl4AP6J g8MhIEouvX5Pn93N3UYILI4NHOB/FBNpcPca2W1ueCjS1eEe6lBsSKTDIMG/CCkLleI5 GWGD68ryzg0ipU1+Rhr7f/9AsRP7fFWRoicECM7qP9sMBWgLiju4mDvFh+j043bGw/ET 4vzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature :from; bh=DDLXlIiM1HQqC2sxPgK6XJiiqnjKJvJbTkPegFracBU=; b=O3C8J9N7xXnxemAOtmsgJ703xybQgbH6TpcpeAeNarCif1nNNKH+z3h9KM49sgByJJ S5NpjCItarKevLgkIZKOIWbjWvX24tbTHROghOlytOLgClM6DogKgC5DF9As8f3GVKVb hhLiVm5qi2xPwXyPvpbvH78npEAenOkzJWU6BUnobH2njedGNxM2lEn2acfnJvMDJ40J RecNcQq5lJ0Vp5u5ANccW3PI17DEnrWFDRbvqQEVcc+YbCAUfHaQaoMviGFApN4HbzQ6 rFI2lSW2tNqQyJX2g6QqzLa8MfwI6SXrIqoHvJYiGSd1wHqFpHyHxGBjkLxiB7/TMvDn ZZXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b="BJZ/hjJD"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h24-20020a656398000000b0041bf78284d8si15588936pgv.635.2022.08.16.09.52.15; Tue, 16 Aug 2022 09:52:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b="BJZ/hjJD"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236531AbiHPQia (ORCPT + 65 others); Tue, 16 Aug 2022 12:38:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236528AbiHPQi2 (ORCPT ); Tue, 16 Aug 2022 12:38:28 -0400 Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC8F8C7F for ; Tue, 16 Aug 2022 09:38:27 -0700 (PDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1660667906; bh=DDLXlIiM1HQqC2sxPgK6XJiiqnjKJvJbTkPegFracBU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=BJZ/hjJDePs/eklJ/gLX83uRRBTVLu83IHytDpSBbeKie3H2kcuDLqgd+m2+8S98g O25wnEcmLKCUb/ntb0mWkcEmwm9LOCgpQv1JTDOaqtVrEOdN3Gp9xblisWbmTzhydC AsKxJfDjjHDAr+m7yn/eqfjZYtyJdn/dgdRFenyMb+BhpPQT3AZUNBHJbh2JRKLXnK LgHCD2dRjuZdl8Uv8yOywj7TJqO3wJRSjyfMxNY/RpEl9zWHr0C6pLxCwJW17rMKnV CvWUt8RXi5cre/GRquYFUP20Bdx+k8+ttA7bADkNMAznZT1n7cBm/DDmnzaJLie/v/ hXFWencJATSBw== To: Tetsuo Handa , Kalle Valo Cc: linux-wireless Subject: Re: [PATCH v2] ath9k: avoid uninit memory read in ath9k_htc_rx_msg() In-Reply-To: <7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp> References: <000000000000c98a7f05ac744f53@google.com> <87edxgwarp.fsf@toke.dk> <7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp> Date: Tue, 16 Aug 2022 18:38:25 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <871qtgw3cu.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Tetsuo Handa writes: > syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for > ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with > pkt_len =3D 0 but ath9k_hif_usb_rx_stream() uses > __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that > pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb > with uninitialized memory and ath9k_htc_rx_msg() is reading from > uninitialized memory. > > Since bytes accessed by ath9k_htc_rx_msg() is not known until > ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid > pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in > ath9k_hif_usb_rx_stream(). > > We have two choices. One is to workaround by adding __GFP_ZERO so that > ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let > ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose > the latter. > > Note that I'm not sure threshold condition is correct, for I can't find > details on possible packet length used by this protocol. > > Link: https://syzkaller.appspot.com/bug?extid=3D2ca247c2d60c7023de7f [1] > Reported-by: syzbot > Signed-off-by: Tetsuo Handa Acked-by: Toke H=C3=B8iland-J=C3=B8rgensen