From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Kalle Valo <kvalo@kernel.org>
Cc: linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH v2] ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
Date: Tue, 16 Aug 2022 18:38:25 +0200 [thread overview]
Message-ID: <871qtgw3cu.fsf@toke.dk> (raw)
In-Reply-To: <7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp>
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
> ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
> pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
> __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
> pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
> with uninitialized memory and ath9k_htc_rx_msg() is reading from
> uninitialized memory.
>
> Since bytes accessed by ath9k_htc_rx_msg() is not known until
> ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
> pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
> ath9k_hif_usb_rx_stream().
>
> We have two choices. One is to workaround by adding __GFP_ZERO so that
> ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
> ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
> the latter.
>
> Note that I'm not sure threshold condition is correct, for I can't find
> details on possible packet length used by this protocol.
>
> Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1]
> Reported-by: syzbot <syzbot+2ca247c2d60c7023de7f@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
next prev parent reply other threads:[~2022-08-16 16:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-09 16:27 KMSAN: uninit-value in ath9k_htc_rx_msg syzbot
2020-08-13 3:32 ` syzbot
[not found] ` <a142d63c-7810-40ff-9c24-7160c63bafebn@googlegroups.com>
2022-08-24 13:30 ` Alexander Potapenko
2022-08-25 14:34 ` Tetsuo Handa
2022-08-25 15:09 ` Alexander Potapenko
2022-08-25 15:55 ` Toke Høiland-Jørgensen
2022-08-29 5:36 ` Kalle Valo
2022-08-26 1:35 ` Tetsuo Handa
2022-08-26 8:38 ` Alexander Potapenko
2022-08-28 10:44 ` Phillip Potter
2022-07-30 12:13 ` [PATCH] ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Tetsuo Handa
2022-07-30 13:36 ` Tetsuo Handa
2022-08-16 9:52 ` Tetsuo Handa
2022-08-16 13:58 ` Toke Høiland-Jørgensen
2022-08-16 14:46 ` [PATCH v2] " Tetsuo Handa
2022-08-16 16:38 ` Toke Høiland-Jørgensen [this message]
2022-08-30 12:16 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qtgw3cu.fsf@toke.dk \
--to=toke@toke.dk \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).