From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: Zekun Shen <bruceshenzk@gmail•com>,
Brendan Dolan-Gavitt <brendandg@nyu•edu>,
Kalle Valo <quic_kvalo@quicinc•com>,
Sasha Levin <sashal@kernel•org>,
jirislaby@kernel•org, mickflemm@gmail•com, mcgrof@kernel•org,
kvalo@kernel•org, davem@davemloft•net, kuba@kernel•org,
pabeni@redhat•com, linux-wireless@vger•kernel.org,
netdev@vger•kernel.org
Subject: [PATCH AUTOSEL 5.17 003/149] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
Date: Fri, 1 Apr 2022 10:23:10 -0400 [thread overview]
Message-ID: <20220401142536.1948161-3-sashal@kernel.org> (raw)
In-Reply-To: <20220401142536.1948161-1-sashal@kernel.org>
From: Zekun Shen <bruceshenzk@gmail•com>
[ Upstream commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a ]
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu•edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail•com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc•com>
Link: https://lore.kernel.org/r/YckvDdj3mtCkDRIt@a-10-27-26-18.dynapool.vpn.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
drivers/net/wireless/ath/ath5k/eeprom.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c
index 1fbc2c19848f..d444b3d70ba2 100644
--- a/drivers/net/wireless/ath/ath5k/eeprom.c
+++ b/drivers/net/wireless/ath/ath5k/eeprom.c
@@ -746,6 +746,9 @@ ath5k_eeprom_convert_pcal_info_5111(struct ath5k_hw *ah, int mode,
}
}
+ if (idx == AR5K_EEPROM_N_PD_CURVES)
+ goto err_out;
+
ee->ee_pd_gains[mode] = 1;
pd = &chinfo[pier].pd_curves[idx];
--
2.34.1
next prev parent reply other threads:[~2022-04-01 14:25 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220401142536.1948161-1-sashal@kernel.org>
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 002/149] Bluetooth: hci_sync: Fix compilation warning Sasha Levin
2022-04-01 14:23 ` Sasha Levin [this message]
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 004/149] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 009/149] Bluetooth: hci_event: Ignore multiple conn complete events Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 017/149] ptp: replace snprintf with sysfs_emit Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 018/149] Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 019/149] selftests, xsk: Fix bpf_res cleanup test Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 020/149] net/mlx5e: TC, Hold sample_attr on stack instead of pointer Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 025/149] mlxsw: spectrum: Guard against invalid local ports Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 029/149] ath11k: fix kernel panic during unload/load ath11k modules Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 030/149] ath11k: pci: fix crash on suspend if board file is not found Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 031/149] ath11k: mhi: use mhi_sync_power_up() Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 032/149] net/smc: Send directly when TCP_CORK is cleared Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 034/149] bpf: Make dst_port field in struct bpf_sock 16-bit wide Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 039/149] mt76: mt7921: fix crash when startup fails Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 040/149] mt76: dma: initialize skip_unmap in mt76_dma_rx_fill Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 041/149] i40e: Add sending commands in atomic context Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 042/149] cfg80211: don't add non transmitted BSS to 6GHz scanned channels Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 043/149] libbpf: Fix build issue with llvm-readelf Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 044/149] ipv6: make mc_forwarding atomic Sasha Levin
2022-04-01 14:23 ` [PATCH AUTOSEL 5.17 046/149] net: initialize init_net earlier Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 060/149] libbpf: Fix accessing syscall arguments on powerpc Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 061/149] libbpf: Fix accessing the first syscall argument on arm64 Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 062/149] libbpf: Fix accessing the first syscall argument on s390 Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 064/149] tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 074/149] net/mlx5e: Disable TX queues before registering the netdev Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 078/149] iwlwifi: mvm: Correctly set fragmented EBS Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 079/149] iwlwifi: mvm: Passively scan non PSC channels only when requested so Sasha Levin
2022-04-01 14:52 ` Ben Greear
2022-04-09 14:04 ` Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 080/149] iwlwifi: fix small doc mistake for iwl_fw_ini_addr_val Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 081/149] iwlwifi: mvm: move only to an enabled channel Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 082/149] ipv6: annotate some data-races around sk->sk_prot Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 085/149] rtw89: fix RCU usage in rtw89_core_txq_push() Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 086/149] ath11k: Fix frames flush failure caused by deadlock Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 087/149] ipv4: Invalidate neighbour for broadcast address upon address addition Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 088/149] rtw88: change rtw_info() to proper message level Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 099/149] mt76: mt7915: fix injected MPDU transmission to not use HW A-MSDU Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 101/149] mctp: make __mctp_dev_get() take a refcount hold Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 103/149] mt76: mt7615: Fix assigning negative values to unsigned variable Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 109/149] net/smc: correct settings of RMB window update limit Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 111/149] iavf: stop leaking iavf_status as "errno" values Sasha Levin
2022-04-01 14:24 ` [PATCH AUTOSEL 5.17 112/149] macvtap: advertise link netns via netlink Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 114/149] tuntap: add sanity checks about msg_controllen in sendmsg Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 117/149] Bluetooth: Fix not checking for valid hdev on bt_dev_{info,warn,err,dbg} Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 118/149] Bluetooth: use memset avoid memory leaks Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 119/149] bnxt_en: Eliminate unintended link toggle during FW reset Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 123/149] powerpc/64e: Tie PPC_BOOK3E_64 to PPC_FSL_BOOK3E Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 127/149] can: isotp: set default value for N_As to 50 micro seconds Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 128/149] can: etas_es58x: es58x_fd_rx_event_msg(): initialize rx_event_msg before calling es58x_check_msg_len() Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 130/149] net: account alternate interface name memory Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 131/149] net: limit altnames to 64k total Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 132/149] net/mlx5e: Remove overzealous validations in netlink EEPROM query Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 135/149] net: sfp: add 2500base-X quirk for Lantech SFP module Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 138/149] mt76: fix monitor mode crash with sdio driver Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 140/149] iwlwifi: mei: fix building iwlmei Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 142/149] Bluetooth: Fix use after free in hci_send_acl Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 143/149] netfilter: conntrack: revisit gc autotuning Sasha Levin
2022-04-01 14:25 ` [PATCH AUTOSEL 5.17 144/149] netlabel: fix out-of-bounds memory accesses Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401142536.1948161-3-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=brendandg@nyu$(echo .)edu \
--cc=bruceshenzk@gmail$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=jirislaby@kernel$(echo .)org \
--cc=kuba@kernel$(echo .)org \
--cc=kvalo@kernel$(echo .)org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-wireless@vger$(echo .)kernel.org \
--cc=mcgrof@kernel$(echo .)org \
--cc=mickflemm@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=pabeni@redhat$(echo .)com \
--cc=quic_kvalo@quicinc$(echo .)com \
--cc=stable@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox