Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp3281799rdb;
        Thu, 16 Nov 2023 05:39:50 -0800 (PST)
X-Google-Smtp-Source: AGHT+IH6K0vJs+Dw5+ONgqo3yugKzfj5eN5Pnmosce2e3CsJEnFvLivNmEjrlmHJkN6TjXtSgAmV
X-Received: by 2002:a05:6a00:139e:b0:690:c887:8cd8 with SMTP id t30-20020a056a00139e00b00690c8878cd8mr16105602pfg.32.1700141990334;
        Thu, 16 Nov 2023 05:39:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700141990; cv=none;
        d=google.com; s=arc-20160816;
        b=Zupb0uINLyLY62AjN7AuSNzKqt/FPUL3Ef+cgCOCT587JjYS1/04hTpQl9XHk0c15C
         q3TTvtFfT2sQZc/6Lru9jz6wm47gk1W+41ROQqeWFUtfk8vt77tISFoVUhSK4T/MeG05
         oDCkplI4KB4vZd9MLiE5+zY7C7sEEPvgz6jVKXmmgDiZVov/0De01jT5JXKnPn+QAAsX
         89bY382MeU+7vpOx+2nQmU5JTzdqsxVmaLRi6TVry4KA9pOzRdscMEOAAyj9dWC0nYMo
         GMNs2rzWnYJK/y5Qja8K5zR85fEdLpP/jmKjSPHSQRQ2pdlARSHi2XwJmigAsdOf8ujI
         TEhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature
         :from;
        bh=JQxynP3jboarYJts+9LlQvCyOPXSKtbW9yPhWUxGbFo=;
        fh=fbL3tgnhh8rEgHsAdnDyxssxoBFDY8DzGu+XJsnBLOs=;
        b=AZPTP4f1M9NW+mD1I4v2djBafOj0jg5nIpbALeBzQO8TPTOoKTPN/rSCmyJpubFvLh
         ZDuir37m1n1wOVvhch7x3Iil1Jg5znpyyG+kwiOuYs3b55N6ras+4EJh6CqiBkhIlFHD
         UqQSonQnmuvDXWYeysKiOFPixCfZiZQecbMLl5LlFZ4awv3tl4M5gYXibk9pC09YmhJ+
         Gz3lVGbu2QiSd/u1fxIgchvKmiH8Pblh6YHad3/JaDMPctPKRbk3OEhC5pbbTJP5b4mg
         nxTcHM5qbfYnFEiBsaAqJpbsOZPNhaZxelbt0lQwQ+DRN03VOvAe5YVZO0dPd2H9MjM5
         idhw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@toke.dk header.s=20161023 header.b=xTluYmRI;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
        by mx.google.com with ESMTPS id cf7-20020a056a02084700b00564c67e66fbsi13276001pgb.842.2023.11.16.05.39.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Nov 2023 05:39:50 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@toke.dk header.s=20161023 header.b=xTluYmRI;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id BF829810D653;
	Thu, 16 Nov 2023 05:39:45 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345227AbjKPNjr (ORCPT <rfc822;manohar.aswal@gmail.com>
        + 53 others); Thu, 16 Nov 2023 08:39:47 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46244 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344962AbjKPNjq (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 16 Nov 2023 08:39:46 -0500
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E90ADCE
        for <linux-wireless@vger.kernel.org>; Thu, 16 Nov 2023 05:39:42 -0800 (PST)
From:   Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023;
        t=1700141981; bh=rjatQSWbdiwLb42wZ6Vl1PZ6KYVhhqUTX2EriQugFow=;
        h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
        b=xTluYmRIZ5d4rQCps50X7fhaBNfFw0wLhwvMDg6bqNzXfS+FCjEz+3t4Yg+/4tkwI
         Xg6t3WkOvhuNyMw8X1QYvLkwCBcylEOPexUfyNrZeIm5MuiJyZkPdWccAWgxf9+k/V
         GnGYd6w+Yv5NAid4FDBCXT/WlzblyGOVFO9D595zb+0DR1+fBGoFoXppiCY+/F0De/
         kU/ZeQxgDidaeCNgK9Q5LXjCi2Xth5IW3WetVH3Vom4zPNxqEwB/e3i3+CuNKIZfgG
         6Vp62RIIrC2B0zQt4QYUOy4hv0SMeKHt/cd6IDwtSqG/IhhPGKfCjNvTuCSxLl2mEp
         Bq4c9RegtQVIg==
To:     Minsuk Kang <linuxlovemin@yonsei.ac.kr>,
        linux-wireless@vger.kernel.org
Cc:     kvalo@kernel.org, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr,
        Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Subject: Re: [PATCH v2] wifi: ath9k: Fix potential array-index-out-of-bounds
 read in ath9k_htc_txstatus()
In-Reply-To: <20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr>
References: <20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr>
Date:   Thu, 16 Nov 2023 14:39:41 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87leaxddgi.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 16 Nov 2023 05:39:45 -0800 (PST)

Minsuk Kang <linuxlovemin@yonsei.ac.kr> writes:

> Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
> occurs when txs->cnt, data from a URB provided by a USB device, is
> bigger than the size of the array txs->txstatus, which is
> HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
> handling code after the check. Make the function return if that is the
> case.
>
> Found by a modified version of syzkaller.
>
> UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
> index 13 is out of range for type '__wmi_event_txstatus [12]'
> Call Trace:
>  ath9k_htc_txstatus
>  ath9k_wmi_event_tasklet
>  tasklet_action_common
>  __do_softirq
>  irq_exit_rxu
>  sysvec_apic_timer_interrupt
>
> Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>

Acked-by: Toke H=C3=B8iland-J=C3=B8rgensen <toke@toke.dk>