Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13331126rwl; Wed, 4 Jan 2023 06:49:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXtGdNS1hFEMR6RiLAd6P7snzK9IzDVBFa7b7Himj70nK1SIMt8Zdvfsn58c1arzCJYiXGHI X-Received: by 2002:a05:6a00:a07:b0:580:9431:1b1a with SMTP id p7-20020a056a000a0700b0058094311b1amr57974001pfh.5.1672843747097; Wed, 04 Jan 2023 06:49:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672843747; cv=none; d=google.com; s=arc-20160816; b=DNAaMqTPbWKS2cqhKxfpLlLBPz1uwNwAL8XzJ3F3JA+jdl13j1J2uNMUZZqicXe7mZ 9sGd44yLAIGZT5+q9f1bB3R6IpimReYd6ya1exG5SZG/jIpHPiRV5N6z3YolByWRzOSU sKDuZV9o9nWSRC7zjwu0gdfRJNSwt8Ze+Qp1Rjm5JapWokJWdrj/84JEyQH19XdCXBDp 6TtEDWYcB/i6iOhY6ZT+8Pvn/QwGW+6NhyTta+D/FTpwlAJLzDnG6A1IRuiDqlvRxFey Gk7dU2d+Gah7wJ2pIxrnYvmFnO+YbN78b6O/6UbQVp/23/hFH/rdU/N17SoobcLWXdc2 Zo4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature :from; bh=PvmWigiKAF7lYWoosv8VCkdu1TobmI/RSKUvvNwLkNM=; b=M1aD6F7oIE+Le9Y6xOZHRg89O2HArzk2MMuOG/CGj7LI+VbxntJrl8JAh3FrDjZ+93 04cIMbWauCZaDWdgLETsSSN9xJPIJk18yU7bu4OWlBFihYBADyjfIKPg/HdQItFeQztS N52RYdrpe/fVj5CHEFW1ffhRjeq65NErGhVqi7HIoBYFxBs6Xf6nzjp1FQqNgq7xr6Ox NNaXa3IhwSRnMY94dEVf2q/ht0RhjjOXlhjDVAK3FYGI9Gw3ic+1GFL8D+wHQZt4nmbC 9JK+9mOILWbInJPLCrwuXfs8IZ/CT0gW1hrI5iuStXowAbLJFbrnl8xhmI4llDHLoS7d CGOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=xHw+5O4q; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u34-20020a056a0009a200b00576a51119c0si37680996pfg.179.2023.01.04.06.48.57; Wed, 04 Jan 2023 06:49:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=xHw+5O4q; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235161AbjADOqs (ORCPT + 67 others); Wed, 4 Jan 2023 09:46:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239776AbjADOqm (ORCPT ); Wed, 4 Jan 2023 09:46:42 -0500 Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA98015FF2 for ; Wed, 4 Jan 2023 06:46:40 -0800 (PST) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1672843599; bh=nE8bNRCodlq0D3DMUjJh3lAL14Bo4+EYFYTIYfw9uGo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=xHw+5O4qxu08YExbf//ZQl6S5lYKHloJpy1cIFOWwU96tZxpSIfgSQeW7F5DdOo5m zXTS3IiQTK7uXIKFVb0neSTQH297LO2FONu7owLjX9piLOA7Mb8HFzw3VSZhWBlHBi sSlrtiAWmQKscGzXiI945oEQuTcWa6C3RL4Hpm4iOYZZ8n2V0noCk5WWsSVWLF5xEa GDBELMqXZaggaPUd+/czgOgPYoEJsycuGsojAxnguykY6guqkvem0Ez5NibanZbj1c 0HmlUUw9+6SgbqW4xHWQYBLm9GOEZ0hztj1hXjc+9uhRbnIy+LMKTB/ifisbuIymRm ySi9zvDMIi0Pg== To: Minsuk Kang , linux-wireless@vger.kernel.org Cc: kvalo@kernel.org, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang Subject: Re: [PATCH v2] ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() In-Reply-To: <20230104124130.10996-1-linuxlovemin@yonsei.ac.kr> References: <20230104124130.10996-1-linuxlovemin@yonsei.ac.kr> Date: Wed, 04 Jan 2023 15:46:39 +0100 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87zgay1ho0.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Minsuk Kang writes: > Fix a stack-out-of-bounds write that occurs in a WMI response callback > function that is called after a timeout occurs in ath9k_wmi_cmd(). > The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that > could no longer be valid when a timeout occurs. Set wmi->last_seq_id to > 0 when a timeout occurred. > > Found by a modified version of syzkaller. > > BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx > Write of size 4 > Call Trace: > memcpy > ath9k_wmi_ctrl_rx > ath9k_htc_rx_msg > ath9k_hif_usb_reg_in_cb > __usb_hcd_giveback_urb > usb_hcd_giveback_urb > dummy_timer > call_timer_fn > run_timer_softirq > __do_softirq > irq_exit_rcu > sysvec_apic_timer_interrupt > > Signed-off-by: Minsuk Kang Acked-by: Toke H=C3=B8iland-J=C3=B8rgensen Also (Kalle, I assume you can just add this): Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")