Message ID | 20230104124130.10996-1-linuxlovemin@yonsei.ac.kr |
---|---|
State | New |
Headers | show |
Series | [v2] ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() | expand |
Toke Høiland-Jørgensen <toke@toke.dk> writes: > Minsuk Kang <linuxlovemin@yonsei.ac.kr> writes: > >> Fix a stack-out-of-bounds write that occurs in a WMI response callback >> function that is called after a timeout occurs in ath9k_wmi_cmd(). >> The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that >> could no longer be valid when a timeout occurs. Set wmi->last_seq_id to >> 0 when a timeout occurred. >> >> Found by a modified version of syzkaller. >> >> BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx >> Write of size 4 >> Call Trace: >> memcpy >> ath9k_wmi_ctrl_rx >> ath9k_htc_rx_msg >> ath9k_hif_usb_reg_in_cb >> __usb_hcd_giveback_urb >> usb_hcd_giveback_urb >> dummy_timer >> call_timer_fn >> run_timer_softirq >> __do_softirq >> irq_exit_rcu >> sysvec_apic_timer_interrupt >> >> Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> > > Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> > > Also (Kalle, I assume you can just add this): > > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Yes, will add.
Minsuk Kang <linuxlovemin@yonsei.ac.kr> wrote: > Fix a stack-out-of-bounds write that occurs in a WMI response callback > function that is called after a timeout occurs in ath9k_wmi_cmd(). > The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that > could no longer be valid when a timeout occurs. Set wmi->last_seq_id to > 0 when a timeout occurred. > > Found by a modified version of syzkaller. > > BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx > Write of size 4 > Call Trace: > memcpy > ath9k_wmi_ctrl_rx > ath9k_htc_rx_msg > ath9k_hif_usb_reg_in_cb > __usb_hcd_giveback_urb > usb_hcd_giveback_urb > dummy_timer > call_timer_fn > run_timer_softirq > __do_softirq > irq_exit_rcu > sysvec_apic_timer_interrupt > > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") > Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> > Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-next branch of ath.git, thanks. 8a2f35b98306 wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c index f315c54bd3ac..19345b8f7bfd 100644 --- a/drivers/net/wireless/ath/ath9k/wmi.c +++ b/drivers/net/wireless/ath/ath9k/wmi.c @@ -341,6 +341,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, if (!time_left) { ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", wmi_cmd_to_name(cmd_id)); + wmi->last_seq_id = 0; mutex_unlock(&wmi->op_mutex); return -ETIMEDOUT; }
Fix a stack-out-of-bounds write that occurs in a WMI response callback function that is called after a timeout occurs in ath9k_wmi_cmd(). The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that could no longer be valid when a timeout occurs. Set wmi->last_seq_id to 0 when a timeout occurred. Found by a modified version of syzkaller. BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx Write of size 4 Call Trace: memcpy ath9k_wmi_ctrl_rx ath9k_htc_rx_msg ath9k_hif_usb_reg_in_cb __usb_hcd_giveback_urb usb_hcd_giveback_urb dummy_timer call_timer_fn run_timer_softirq __do_softirq irq_exit_rcu sysvec_apic_timer_interrupt Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> --- v1->v2: Reset wmi->last_seq_id to 0 instead of introducing a new 'timedout' field when a timeout occurred. drivers/net/wireless/ath/ath9k/wmi.c | 1 + 1 file changed, 1 insertion(+)