Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4504861rdh; Wed, 29 Nov 2023 03:29:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IGM7TEEA+38OwQnHRnwceCq1eh6hQUu5WdbR3Oz+IAvyUn2hcbadN+2EZt/dep2FTC0K6DU X-Received: by 2002:a67:f750:0:b0:464:422e:88a8 with SMTP id w16-20020a67f750000000b00464422e88a8mr4072905vso.10.1701257346892; Wed, 29 Nov 2023 03:29:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701257346; cv=none; d=google.com; s=arc-20160816; b=lLt77W7mJpzahk9gqO//DKyYaPOLuBCR2+ihkOcDlkNKOQYn2g0LBS20Z0wzxZmMMs 65gbYX+h7pk/3bv2LJIDH+kANUB/OiwDcvnpzYZ6qM1prFlb3FqxfKKirUVdjTf2WnJg zbfBicvTgdIWBhajUSFkRH+uLH4hkAme0dZmV2DdZtOVhrHRpJYWjBj/XrJ4MIpxFHl7 0Y4XlTuNCgxkdOakhwjpSOAM7JEBnwsd4ou6H/dJoqw6Lw1dWDhH5oeb2+DrNs2GU61E 0QTtIbz9Mu7Q1IoOKNdDrb/AV/JPlEUFqCGvmI4VIStHI57q09aI2AQk4g9Tg9qkGm1y MJpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:message-id:user-agent:cc:to:references:in-reply-to:from :subject:content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=wwEY/jqIm6W+J7vonsbpQ+yLH/BR0UPkGXa0CCAPkQE=; fh=aicQTku/tQQTTozpBKkhXmAmdXQTnUtMpKo05wppsnI=; b=xbBGLSJLUAQgVEa49D8XLUmY+gB63UxcVQGNdzkYgzKQcw4ZsDJHwYMlVhU0U2ww6j HLN2Poy4O4GTgECY7cd8au/GiRsJiLCU02rLtM/XzwiSifEBnTRTLwlAunjq5cbGTY1l xvgB03cYktn6r/9v+s07H1w54oP8BP+YFDoZ1JVBhdGxYJ2bkCvXpxJVc3m06VhOvNNC g2pIWPRmGWoNusYBBFuaaxXtXyJOhKadUy7ixUhlHX3jzgqeBQ0t3p68K1TGG77ry3ez Rjx4rYC/3qtmYsV17ihFz1dsun8v5y+FYvQ2e8KOLqA8UVNSnKk5Q0rqSuOI1F3BE0B/ ZlAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bkEuqTlp; spf=pass (google.com: domain of linux-wireless+bounces-215-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-215-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id l13-20020a05622a050d00b00417f590633esi13343035qtx.519.2023.11.29.03.29.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 03:29:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-215-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bkEuqTlp; spf=pass (google.com: domain of linux-wireless+bounces-215-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-215-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8ED201C20DEF for ; Wed, 29 Nov 2023 11:29:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B14A61C68A; Wed, 29 Nov 2023 11:29:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bkEuqTlp" X-Original-To: linux-wireless@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 959CA156CD for ; Wed, 29 Nov 2023 11:29:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1CC5FC433C9; Wed, 29 Nov 2023 11:29:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701257344; bh=TKTcP6093uefYpxtij2HyGfmUbAKixrSV0niW+6OUUQ=; h=Subject:From:In-Reply-To:References:To:Cc:Date:From; b=bkEuqTlpb4DohnHlVwfICDYRKpKzy2y2L2zbNdlTwJAt2AsBgR/UBHDQCcvFXgoTO IAFvUgitmVRu5oEVjiWWoFJGT9iruq/+t2ux5om+Csw7qzZlQeZqUYI8xcSHj23Z61 UOxWHxCuCsT49vadF8EIHN3Z7j6rry+EY9KYZFyZA8Y38utLVLwxc95m0g9Upyx8jx WWmGC6mZZ/sitSHZBZ/+g8a23g3UXn0zxZkRIHrnpxiycidxqTyKSTBOi79vIej77r 6yIl9HBIg44/605edeqp7ZVXnn8KDKs+aU+wMpTDk7pSqeJHJXkXcPiUpcqI88bY/E qA/FLZ8avGzLg== Content-Type: text/plain; charset="utf-8" Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [PATCH v2] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() From: Kalle Valo In-Reply-To: <20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr> References: <20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr> To: Minsuk Kang Cc: linux-wireless@vger.kernel.org, toke@toke.dk, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang User-Agent: pwcli/0.1.1-git (https://github.com/kvalo/pwcli/) Python/3.11.2 Message-ID: <170125734120.1070846.4640976279183534285.kvalo@kernel.org> Date: Wed, 29 Nov 2023 11:29:02 +0000 (UTC) Minsuk Kang wrote: > Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug > occurs when txs->cnt, data from a URB provided by a USB device, is > bigger than the size of the array txs->txstatus, which is > HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug > handling code after the check. Make the function return if that is the > case. > > Found by a modified version of syzkaller. > > UBSAN: array-index-out-of-bounds in htc_drv_txrx.c > index 13 is out of range for type '__wmi_event_txstatus [12]' > Call Trace: > ath9k_htc_txstatus > ath9k_wmi_event_tasklet > tasklet_action_common > __do_softirq > irq_exit_rxu > sysvec_apic_timer_interrupt > > Signed-off-by: Minsuk Kang > Acked-by: Toke Høiland-Jørgensen > Signed-off-by: Kalle Valo Patch applied to ath-next branch of ath.git, thanks. 2adc886244df wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() -- https://patchwork.kernel.org/project/linux-wireless/patch/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches