From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zekun Shen <bruceshenzk@gmail.com>,
Brendan Dolan-Gavitt <brendandg@nyu.edu>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
jirislaby@kernel.org, mickflemm@gmail.com, mcgrof@kernel.org,
kvalo@kernel.org, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 01/22] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
Date: Fri, 1 Apr 2022 10:47:08 -0400 [thread overview]
Message-ID: <20220401144729.1955554-1-sashal@kernel.org> (raw)
From: Zekun Shen <bruceshenzk@gmail.com>
[ Upstream commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a ]
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/YckvDdj3mtCkDRIt@a-10-27-26-18.dynapool.vpn.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath5k/eeprom.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c
index 94d34ee02265..01163b333945 100644
--- a/drivers/net/wireless/ath/ath5k/eeprom.c
+++ b/drivers/net/wireless/ath/ath5k/eeprom.c
@@ -746,6 +746,9 @@ ath5k_eeprom_convert_pcal_info_5111(struct ath5k_hw *ah, int mode,
}
}
+ if (idx == AR5K_EEPROM_N_PD_CURVES)
+ goto err_out;
+
ee->ee_pd_gains[mode] = 1;
pd = &chinfo[pier].pd_curves[idx];
--
2.34.1
next reply other threads:[~2022-04-01 15:51 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-01 14:47 Sasha Levin [this message]
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 02/22] ptp: replace snprintf with sysfs_emit Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 03/22] powerpc: dts: t104xrdb: fix phy type for FMAN 4/5 Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 04/22] scsi: mvsas: Replace snprintf() with sysfs_emit() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 05/22] scsi: bfa: " Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 06/22] power: supply: axp20x_battery: properly report current when discharging Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 07/22] powerpc: Set crashkernel offset to mid of RMA region Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 08/22] PCI: aardvark: Fix support for MSI interrupts Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 09/22] iommu/arm-smmu-v3: fix event handling soft lockup Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [dm-devel] [PATCH AUTOSEL 4.14 10/22] dm ioctl: prevent potential spectre v1 gadget Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 11/22] scsi: pm8001: Fix pm8001_mpi_task_abort_resp() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 12/22] scsi: aha152x: Fix aha152x_setup() __setup handler return value Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 13/22] net/smc: correct settings of RMB window update limit Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 14/22] macvtap: advertise link netns via netlink Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 15/22] bnxt_en: Eliminate unintended link toggle during FW reset Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 16/22] MIPS: fix fortify panic when copying asm exception handlers Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 17/22] powerpc/code-patching: Pre-map patch area Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 18/22] scsi: libfc: Fix use after free in fc_exch_abts_resp() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 19/22] usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 20/22] xtensa: fix DTC warning unit_address_format Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 21/22] Bluetooth: Fix use after free in hci_send_acl Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 22/22] init/main.c: return 1 from handled __setup() functions Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401144729.1955554-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=brendandg@nyu.edu \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=jirislaby@kernel.org \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mickflemm@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_kvalo@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.