Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13158191rwl; Wed, 4 Jan 2023 04:28:46 -0800 (PST) X-Google-Smtp-Source: AMrXdXtqX4MhPomqn/CvDYpyGEaBkhuelydlElSRUhnsAi7i3IavWgru+cUwmcBi3UoKtP9gUxCw X-Received: by 2002:a05:6402:12d4:b0:461:6219:4b16 with SMTP id k20-20020a05640212d400b0046162194b16mr40890115edx.33.1672835325966; Wed, 04 Jan 2023 04:28:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672835325; cv=none; d=google.com; s=arc-20160816; b=ufx/UoMWd0YO9QoanfhME1x9BkksUIKg2FlfkSBsLx/+f6QyjKgaOQYXVwKRgezjoP QT71n86uNOJRbxdpk2Rbbhz6XSvuqWJuGmp7yevLILolbZsjwFGPZTuTB/SgznQO6u+k Vr4Rd1kjcHWgyjXlPtkZk1ba+5A7WPmFFEbfushr+13EWI33WSKEoYIL7tynF+QxTY8z 4wMswMDiTpJWLc5EOki4m4QuAQ2wI0RInc2I05nkCFJjsiIsLxUY7dqup0Mu+45bH5Ki wGddn/i0a8SVai0dsVOFrRZlmQtW1gRB9i4PtwtbfoYuSgVnr27QRmu415w6JzjnsXj9 o5Uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:from; bh=NNwcRJYVxVms+AWcupDEekq0y6tjkYNPNxBhJuo/xeA=; b=yNmgM1h7IrsUQszJ0pGZ7baBfG98iG2wzMsE4oO0+0zdLFVLHYLncDrPit+deFCQfD 3WU5BtJ/4v4wxuCVaGd0ahlUJQHiBH13L0Jh3ZEQFAOsMkHwjgPJRDxA9q0ocy5mx+vW seoD3OXfz6nVEl0bhdAGbxP36F102egCaTVba4JD8KD91yuuowKSZLzsCuT2plnC6A3Z 2QuyGutqkUKxSKfJtzEhqqrEqDMXlz495e7k9xlQnMMu4WYejuH9oqoYdzPLQgT9uNUf OcIV2TLbz8NYyACrMhc+ld4PW4zgIOShnDGJybNhO/BghwrSUXFs0tWYeSAk34/BS7fs 281A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=ByRW3Ced; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b17-20020a056402279100b0046dd7c3ceb5si31255845ede.475.2023.01.04.04.28.29; Wed, 04 Jan 2023 04:28:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=ByRW3Ced; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234726AbjADMYb (ORCPT + 67 others); Wed, 4 Jan 2023 07:24:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49980 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234923AbjADMY2 (ORCPT ); Wed, 4 Jan 2023 07:24:28 -0500 Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A38A27A for ; Wed, 4 Jan 2023 04:24:25 -0800 (PST) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1672835063; bh=IQ6BUtaweM9xtjUfw4eK9Wo0sAFIDVudY5SyeUBdr/Y=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ByRW3CedrslP6oLfom04Us+vSmGOk0CDZMk2sOLdAw1vj/MXAohSpW0oBqU5mfNFF nnpV5fB94wek0e4tz3E/ws3+SwY7ThW/Sw26UUU+4QB8JmduYmn6e4BiymWdeg0loS SVTg4y37BcDBhj37UBsf5xpaMlkJiU/jSXv4fGVTMJonezFw+zyDAym/rtT1cGvhBY NP8I4bKKd6jhGPu3rNUXg26AfHi5MsyPKIir2yG+k9ylQ01suCtMF6u+9orUSawQ0p kdEYFkaJnj4IIr1X25sOTsx731DD41u1Xifg/6MHA2WJ82//pp40GPRkKzVJlC9CAt GaUtmem1+1COg== To: Minsuk Kang , linux-wireless@vger.kernel.org Cc: kvalo@kernel.org, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang Subject: Re: [PATCH] ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() In-Reply-To: <20230104042147.1419030-1-linuxlovemin@yonsei.ac.kr> References: <20230104042147.1419030-1-linuxlovemin@yonsei.ac.kr> Date: Wed, 04 Jan 2023 13:24:23 +0100 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87h6x632tk.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Minsuk Kang writes: > Fix a stack-out-of-bounds write that occurs in a WMI response callback > function that is called after a timeout occurs in ath9k_wmi_cmd(). > The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that > could no longer be valid when a timeout occurs. Checking seq_no is > insufficient as the bug can occur between the timeout and the next WMI > command. Add wmi->timedout to check whether a timeout occurred. > > Found by a modified version of syzkaller. > > BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx > Write of size 4 > Call Trace: > memcpy > ath9k_wmi_ctrl_rx > ath9k_htc_rx_msg > ath9k_hif_usb_reg_in_cb > __usb_hcd_giveback_urb > usb_hcd_giveback_urb > dummy_timer > call_timer_fn > run_timer_softirq > __do_softirq > irq_exit_rcu > sysvec_apic_timer_interrupt > > Signed-off-by: Minsuk Kang > --- > drivers/net/wireless/ath/ath9k/wmi.c | 5 ++++- > drivers/net/wireless/ath/ath9k/wmi.h | 1 + > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c > index f315c54bd3ac..f46cbecc12e3 100644 > --- a/drivers/net/wireless/ath/ath9k/wmi.c > +++ b/drivers/net/wireless/ath/ath9k/wmi.c > @@ -234,7 +234,8 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, > > /* Check if there has been a timeout. */ > spin_lock_irqsave(&wmi->wmi_lock, flags); > - if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id) { > + if (be16_to_cpu(hdr->seq_no) != wmi->last_seq_id || > + wmi->timedout) { > spin_unlock_irqrestore(&wmi->wmi_lock, flags); > goto free_skb; > } > @@ -290,6 +291,7 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi, > > spin_lock_irqsave(&wmi->wmi_lock, flags); > wmi->last_seq_id = wmi->tx_seq_id; > + wmi->timedout = false; > spin_unlock_irqrestore(&wmi->wmi_lock, flags); > > return htc_send_epid(wmi->htc, skb, wmi->ctrl_epid); > @@ -341,6 +343,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, > if (!time_left) { > ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", > wmi_cmd_to_name(cmd_id)); > + wmi->timedout = true; Instead of introducing a new 'timedout' field, why not just reset last_seq_id to 0 here? That way the existing check should trigger the abort in ath9k_wmi_ctrl_rx()... -Toke