From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAEABC25B0E for ; Tue, 16 Aug 2022 16:38:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236531AbiHPQia (ORCPT ); Tue, 16 Aug 2022 12:38:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236528AbiHPQi2 (ORCPT ); Tue, 16 Aug 2022 12:38:28 -0400 Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC8F8C7F for ; Tue, 16 Aug 2022 09:38:27 -0700 (PDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1660667906; bh=DDLXlIiM1HQqC2sxPgK6XJiiqnjKJvJbTkPegFracBU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=BJZ/hjJDePs/eklJ/gLX83uRRBTVLu83IHytDpSBbeKie3H2kcuDLqgd+m2+8S98g O25wnEcmLKCUb/ntb0mWkcEmwm9LOCgpQv1JTDOaqtVrEOdN3Gp9xblisWbmTzhydC AsKxJfDjjHDAr+m7yn/eqfjZYtyJdn/dgdRFenyMb+BhpPQT3AZUNBHJbh2JRKLXnK LgHCD2dRjuZdl8Uv8yOywj7TJqO3wJRSjyfMxNY/RpEl9zWHr0C6pLxCwJW17rMKnV CvWUt8RXi5cre/GRquYFUP20Bdx+k8+ttA7bADkNMAznZT1n7cBm/DDmnzaJLie/v/ hXFWencJATSBw== To: Tetsuo Handa , Kalle Valo Cc: linux-wireless Subject: Re: [PATCH v2] ath9k: avoid uninit memory read in ath9k_htc_rx_msg() In-Reply-To: <7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp> References: <000000000000c98a7f05ac744f53@google.com> <87edxgwarp.fsf@toke.dk> <7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp> Date: Tue, 16 Aug 2022 18:38:25 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <871qtgw3cu.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Tetsuo Handa writes: > syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for > ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with > pkt_len =3D 0 but ath9k_hif_usb_rx_stream() uses > __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that > pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb > with uninitialized memory and ath9k_htc_rx_msg() is reading from > uninitialized memory. > > Since bytes accessed by ath9k_htc_rx_msg() is not known until > ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid > pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in > ath9k_hif_usb_rx_stream(). > > We have two choices. One is to workaround by adding __GFP_ZERO so that > ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let > ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose > the latter. > > Note that I'm not sure threshold condition is correct, for I can't find > details on possible packet length used by this protocol. > > Link: https://syzkaller.appspot.com/bug?extid=3D2ca247c2d60c7023de7f [1] > Reported-by: syzbot > Signed-off-by: Tetsuo Handa Acked-by: Toke H=C3=B8iland-J=C3=B8rgensen