From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Jeongjun Park <aha310510@gmail.com>, kvalo@kernel.org
Cc: Sujith.Manoharan@atheros.com, senthilkumar@atheros.com,
vasanth@atheros.com, linville@tuxdriver.com,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Jeongjun Park <aha310510@gmail.com>
Subject: Re: [PATCH v2] wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
Date: Mon, 09 Sep 2024 13:23:04 +0200 [thread overview]
Message-ID: <87v7z5oyuf.fsf@toke.dk> (raw)
In-Reply-To: <20240909103855.68006-1-aha310510@gmail.com>
Jeongjun Park <aha310510@gmail.com> writes:
> I found the following bug in my fuzzer:
>
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
> index 255 is out of range for type 'htc_endpoint [22]'
> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: events request_firmware_work_func
> Call Trace:
> <TASK>
> dump_stack_lvl+0x180/0x1b0
> __ubsan_handle_out_of_bounds+0xd4/0x130
> htc_issue_send.constprop.0+0x20c/0x230
> ? _raw_spin_unlock_irqrestore+0x3c/0x70
> ath9k_wmi_cmd+0x41d/0x610
> ? mark_held_locks+0x9f/0xe0
> ...
>
> Since this bug has been confirmed to be caused by insufficient verification
> of conn_rsp_epid, I think it would be appropriate to add a range check for
> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
next prev parent reply other threads:[~2024-09-09 11:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-09 10:38 [PATCH v2] wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() Jeongjun Park
2024-09-09 11:23 ` Toke Høiland-Jørgensen [this message]
2024-09-14 11:46 ` Kalle Valo
2024-10-22 0:36 ` Jeongjun Park
2024-10-22 0:39 ` Jeongjun Park
2024-10-22 7:02 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v7z5oyuf.fsf@toke.dk \
--to=toke@toke.dk \
--cc=Sujith.Manoharan@atheros.com \
--cc=aha310510@gmail.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=senthilkumar@atheros.com \
--cc=vasanth@atheros.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.