[PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Minsuk Kang" <linuxlovemin@yonsei.ac.kr>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Kalle Valo" <quic_kvalo@quicinc.com>,
	"Sasha Levin" <sashal@kernel.org>,
	kvalo@kernel.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
Date: Tue, 16 Jan 2024 14:59:41 -0500	[thread overview]
Message-ID: <20240116200044.258335-12-sashal@kernel.org> (raw)
In-Reply-To: <20240116200044.258335-1-sashal@kernel.org>

From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>

[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]

Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
occurs when txs->cnt, data from a URB provided by a USB device, is
bigger than the size of the array txs->txstatus, which is
HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
handling code after the check. Make the function return if that is the
case.

Found by a modified version of syzkaller.

UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
index 13 is out of range for type '__wmi_event_txstatus [12]'
Call Trace:
 ath9k_htc_txstatus
 ath9k_wmi_event_tasklet
 tasklet_action_common
 __do_softirq
 irq_exit_rxu
 sysvec_apic_timer_interrupt

Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 622fc7f17040..5037142c5a82 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event)
 	struct ath9k_htc_tx_event *tx_pend;
 	int i;
 
-	for (i = 0; i < txs->cnt; i++) {
-		WARN_ON(txs->cnt > HTC_MAX_TX_STATUS);
+	if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS))
+		return;
 
+	for (i = 0; i < txs->cnt; i++) {
 		__txs = &txs->txstatus[i];
 
 		skb = ath9k_htc_tx_get_packet(priv, __txs);
-- 
2.43.0

next prev parent reply	other threads:[~2024-01-16 20:01 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-16 19:59 [PATCH AUTOSEL 5.10 01/44] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 02/44] selftests/bpf: satisfy compiler by having explicit return in btf test Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 03/44] selftests/bpf: Fix pyperf180 compilation failure with clang18 Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 04/44] scsi: lpfc: Fix possible file string name overflow when updating firmware Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 05/44] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 06/44] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 07/44] wifi: ieee80211: fix PV1 frame control field name Sasha Levin
2024-01-16 21:31   ` Johannes Berg
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 08/44] scsi: arcmsr: Support new PCI device IDs 1883 and 1886 Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 09/44] ARM: dts: imx7d: Fix coresight funnel ports Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 10/44] ARM: dts: imx7s: Fix lcdif compatible Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 11/44] ARM: dts: imx7s: Fix nand-controller #size-cells Sasha Levin
2024-01-16 19:59 ` Sasha Levin [this message]
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 13/44] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 14/44] bpf: Set need_defer as false when clearing fd array during map free Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 15/44] scsi: libfc: Don't schedule abort twice Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 16/44] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 17/44] net: mvmdio: Avoid excessive sleeps in polled mode Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 18/44] bpf: Guard stack limits against 32bit overflow Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 19/44] bpf: Set uattr->batch.count as zero before batched update or deletion Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 20/44] ARM: dts: rockchip: fix rk3036 hdmi ports node Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 21/44] ARM: dts: imx25/27-eukrea: Fix RTC node name Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 22/44] ARM: dts: imx: Use flash@0,0 pattern Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 23/44] ARM: dts: imx27: Fix sram node Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 24/44] ARM: dts: imx1: " Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 25/44] ionic: pass opcode to devcmd_wait Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 26/44] block/rnbd-srv: Check for unlikely string overflow Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 27/44] ARM: dts: imx25: Fix the iim compatible string Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 28/44] ARM: dts: imx25/27: Pass timing0 Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 29/44] ARM: dts: imx27-apf27dev: Fix LED name Sasha Levin
2024-01-16 19:59 ` [PATCH AUTOSEL 5.10 30/44] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 31/44] ARM: dts: imx23/28: Fix the DMA controller node name Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 32/44] net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 33/44] block: prevent an integer overflow in bvec_try_merge_hw_page Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 34/44] md: Whenassemble the array, consult the superblock of the freshest device Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 35/44] arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 36/44] arm64: dts: qcom: msm8998: Fix 'out-ports' " Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 37/44] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 38/44] libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 39/44] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 40/44] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 41/44] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 42/44] Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 43/44] Bluetooth: L2CAP: Fix possible multiple reject send Sasha Levin
2024-01-16 20:00 ` [PATCH AUTOSEL 5.10 44/44] i40e: Fix VF disable behavior to block all traffic Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:622fc7f1704 dfblob:5037142c5a8 )
 OR (
bs:"[PATCH AUTOSEL 5.10 12/44] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240116200044.258335-12-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linuxlovemin@yonsei.ac.kr \
    --cc=quic_kvalo@quicinc.com \
    --cc=stable@vger.kernel.org \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).