[PATCH] wifi: ath10k: add extra output check in ath10k_wmi_event_debug

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] wifi: ath10k: add extra output check in ath10k_wmi_event_debug_print()
@ 2025-01-10 11:50 Dmitry Antipov
  2025-01-10 12:28 ` Kalle Valo
  0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Antipov @ 2025-01-10 11:50 UTC (permalink / raw)
  To: Jeff Johnson
  Cc: Kalle Valo, linux-wireless, lvc-project, Dmitry Antipov,
	Fedor Pchelkin

In 'ath10k_wmi_event_debug_print()', passing skb of the very weird
layout may produce debug output of the zero length. In such a case,
'if (skb->data[i - 1] == '\n')' will trigger an access beyond skb data
boundaries. So fix this by adding an extra check whether at least one
byte of the debug output was really emitted. Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Suggested-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 drivers/net/wireless/ath/ath10k/wmi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 5e061f7525a6..ca3237c7d5b0 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -4618,7 +4618,7 @@ void ath10k_wmi_event_debug_print(struct ath10k *ar, struct sk_buff *skb)
 		ath10k_warn(ar, "wmi debug print truncated: %d\n", skb->len);
 
 	/* for some reason the debug prints end with \n, remove that */
-	if (skb->data[i - 1] == '\n')
+	if (i && skb->data[i - 1] == '\n')
 		i--;
 
 	/* the last byte is always reserved for the null character */
-- 
2.47.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] wifi: ath10k: add extra output check in ath10k_wmi_event_debug_print()
  2025-01-10 11:50 [PATCH] wifi: ath10k: add extra output check in ath10k_wmi_event_debug_print() Dmitry Antipov
@ 2025-01-10 12:28 ` Kalle Valo
  0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2025-01-10 12:28 UTC (permalink / raw)
  To: Dmitry Antipov
  Cc: Jeff Johnson, linux-wireless, lvc-project, Fedor Pchelkin, ath10k

Dmitry Antipov <dmantipov@yandex.ru> writes:

> In 'ath10k_wmi_event_debug_print()', passing skb of the very weird
> layout may produce debug output of the zero length. In such a case,
> 'if (skb->data[i - 1] == '\n')' will trigger an access beyond skb data
> boundaries. So fix this by adding an extra check whether at least one
> byte of the debug output was really emitted. Compile tested only.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Suggested-by: Fedor Pchelkin <pchelkin@ispras.ru>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>

Adding ath10k list.

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-01-10 12:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-10 11:50 [PATCH] wifi: ath10k: add extra output check in ath10k_wmi_event_debug_print() Dmitry Antipov
2025-01-10 12:28 ` Kalle Valo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.