[PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Minsuk Kang" <linuxlovemin@yonsei.ac.kr>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Kalle Valo" <quic_kvalo@quicinc.com>,
	"Sasha Levin" <sashal@kernel.org>,
	kvalo@kernel.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
Date: Tue, 16 Jan 2024 14:59:41 -0500	[thread overview]
Message-ID: <20240116200044.258335-12-sashal@kernel.org> (raw)
In-Reply-To: <20240116200044.258335-1-sashal@kernel.org>

From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>

[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]

Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
occurs when txs->cnt, data from a URB provided by a USB device, is
bigger than the size of the array txs->txstatus, which is
HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
handling code after the check. Make the function return if that is the
case.

Found by a modified version of syzkaller.

UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
index 13 is out of range for type '__wmi_event_txstatus [12]'
Call Trace:
 ath9k_htc_txstatus
 ath9k_wmi_event_tasklet
 tasklet_action_common
 __do_softirq
 irq_exit_rxu
 sysvec_apic_timer_interrupt

Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 622fc7f17040..5037142c5a82 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event)
 	struct ath9k_htc_tx_event *tx_pend;
 	int i;
 
-	for (i = 0; i < txs->cnt; i++) {
-		WARN_ON(txs->cnt > HTC_MAX_TX_STATUS);
+	if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS))
+		return;
 
+	for (i = 0; i < txs->cnt; i++) {
 		__txs = &txs->txstatus[i];
 
 		skb = ath9k_htc_tx_get_packet(priv, __txs);
-- 
2.43.0

next prev parent reply	other threads:[~2024-01-16 20:01 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-16 19:59 [PATCH AUTOSEL 5.10 01/44] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 02/44] selftests/bpf: satisfy compiler by having explicit return in btf test Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 03/44] selftests/bpf: Fix pyperf180 compilation failure with clang18 Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 04/44] scsi: lpfc: Fix possible file string name overflow when updating firmware Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 05/44] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 06/44] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 07/44] wifi: ieee80211: fix PV1 frame control field name Sasha Levin
2024-01-16 21:31   ` Johannes Berg
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 08/44] scsi: arcmsr: Support new PCI device IDs 1883 and 1886 Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 09/44] ARM: dts: imx7d: Fix coresight funnel ports Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 10/44] ARM: dts: imx7s: Fix lcdif compatible Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 11/44] ARM: dts: imx7s: Fix nand-controller #size-cells Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` Sasha Levin [this message]
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 13/44] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 14/44] bpf: Set need_defer as false when clearing fd array during map free Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 15/44] scsi: libfc: Don't schedule abort twice Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 16/44] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 17/44] net: mvmdio: Avoid excessive sleeps in polled mode Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 18/44] bpf: Guard stack limits against 32bit overflow Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 19/44] bpf: Set uattr->batch.count as zero before batched update or deletion Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 20/44] ARM: dts: rockchip: fix rk3036 hdmi ports node Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 21/44] ARM: dts: imx25/27-eukrea: Fix RTC node name Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 22/44] ARM: dts: imx: Use flash@0,0 pattern Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 23/44] ARM: dts: imx27: Fix sram node Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 24/44] ARM: dts: imx1: " Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 25/44] ionic: pass opcode to devcmd_wait Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 26/44] block/rnbd-srv: Check for unlikely string overflow Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 27/44] ARM: dts: imx25: Fix the iim compatible string Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 28/44] ARM: dts: imx25/27: Pass timing0 Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 29/44] ARM: dts: imx27-apf27dev: Fix LED name Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 30/44] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Sasha Levin
2024-01-16 19:59   ` Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 31/44] ARM: dts: imx23/28: Fix the DMA controller node name Sasha Levin
2024-01-16 20:00   ` Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 32/44] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 33/44] block: prevent an integer overflow in bvec_try_merge_hw_page Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 34/44] md: Whenassemble the array, consult the superblock of the freshest device Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 35/44] arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 36/44] arm64: dts: qcom: msm8998: Fix 'out-ports' " Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 37/44] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 38/44] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 39/44] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 40/44] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 41/44] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 42/44] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 43/44] Bluetooth: L2CAP: Fix possible multiple reject send Sasha Levin
2024-01-16 20:00 ` [Intel-wired-lan] [PATCH AUTOSEL 5.10 44/44] i40e: Fix VF disable behavior to block all traffic Sasha Levin
2024-01-16 20:00   ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:622fc7f1704 dfblob:5037142c5a8 )
 OR (
bs:"[PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240116200044.258335-12-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linuxlovemin@yonsei.ac.kr \
    --cc=quic_kvalo@quicinc.com \
    --cc=stable@vger.kernel.org \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.