* [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
@ 2021-10-28 22:37 Zekun Shen
2021-10-29 3:53 ` Kalle Valo
2021-11-12 7:54 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Kalle Valo
0 siblings, 2 replies; 5+ messages in thread
From: Zekun Shen @ 2021-10-28 22:37 UTC (permalink / raw)
To: bruceshenzk
Cc: Pontus Fuchs, Kalle Valo, David S. Miller, Jakub Kicinski,
linux-wireless, netdev, linux-kernel
Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
when ar->tx_cmd->odata is NULL. The patch adds a null check to
prevent such case.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
ar5523_cmd+0x46a/0x581 [ar5523]
ar5523_probe.cold+0x1b7/0x18da [ar5523]
? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
? __pm_runtime_set_status+0x54a/0x8f0
? _raw_spin_trylock_bh+0x120/0x120
? pm_runtime_barrier+0x220/0x220
? __pm_runtime_resume+0xb1/0xf0
usb_probe_interface+0x25b/0x710
really_probe+0x209/0x5d0
driver_probe_device+0xc6/0x1b0
device_driver_attach+0xe2/0x120
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 49cc4b7ed..1baec4b41 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb)
ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START");
return;
}
+ if (!cmd->odata) {
+ ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply");
+ return;
+ }
memcpy(cmd->odata, hdr + 1, sizeof(u32));
cmd->olen = sizeof(u32);
cmd->res = 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
2021-10-28 22:37 [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Zekun Shen
@ 2021-10-29 3:53 ` Kalle Valo
2021-10-29 13:53 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply^[ Zekun Shen
2021-11-12 7:54 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Kalle Valo
1 sibling, 1 reply; 5+ messages in thread
From: Kalle Valo @ 2021-10-29 3:53 UTC (permalink / raw)
To: Zekun Shen
Cc: Pontus Fuchs, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-kernel
Zekun Shen <bruceshenzk@gmail.com> writes:
> Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
> when ar->tx_cmd->odata is NULL. The patch adds a null check to
> prevent such case.
>
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> ar5523_cmd+0x46a/0x581 [ar5523]
> ar5523_probe.cold+0x1b7/0x18da [ar5523]
> ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
> ? __pm_runtime_set_status+0x54a/0x8f0
> ? _raw_spin_trylock_bh+0x120/0x120
> ? pm_runtime_barrier+0x220/0x220
> ? __pm_runtime_resume+0xb1/0xf0
> usb_probe_interface+0x25b/0x710
> really_probe+0x209/0x5d0
> driver_probe_device+0xc6/0x1b0
> device_driver_attach+0xe2/0x120
>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
How did you test this?
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply^[
2021-10-29 3:53 ` Kalle Valo
@ 2021-10-29 13:53 ` Zekun Shen
2021-11-10 14:56 ` Kalle Valo
0 siblings, 1 reply; 5+ messages in thread
From: Zekun Shen @ 2021-10-29 13:53 UTC (permalink / raw)
To: Kalle Valo
Cc: Pontus Fuchs, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-kernel
On Fri, Oct 29, 2021 at 06:53:30AM +0300, Kalle Valo wrote:
> Zekun Shen <bruceshenzk@gmail.com> writes:
>
> > Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
> > when ar->tx_cmd->odata is NULL. The patch adds a null check to
> > prevent such case.
> >
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > ar5523_cmd+0x46a/0x581 [ar5523]
> > ar5523_probe.cold+0x1b7/0x18da [ar5523]
> > ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
> > ? __pm_runtime_set_status+0x54a/0x8f0
> > ? _raw_spin_trylock_bh+0x120/0x120
> > ? pm_runtime_barrier+0x220/0x220
> > ? __pm_runtime_resume+0xb1/0xf0
> > usb_probe_interface+0x25b/0x710
> > really_probe+0x209/0x5d0
> > driver_probe_device+0xc6/0x1b0
> > device_driver_attach+0xe2/0x120
> >
> > Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
>
> How did you test this?
I found the bug using a custome USBFuzz port. It's a research work
to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
providing hand-crafted usb descriptors to QEMU.
After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START,
I got the null-ptr-deref bug. I believe the bug is triggerable whenever
cmd->odata is NULL. After patching, I tested with the same input and no
longer see the KASAN report.
>
> --
> https://patchwork.kernel.org/project/linux-wireless/list/
>
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply^[
2021-10-29 13:53 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply^[ Zekun Shen
@ 2021-11-10 14:56 ` Kalle Valo
0 siblings, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2021-11-10 14:56 UTC (permalink / raw)
To: Zekun Shen
Cc: Pontus Fuchs, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-kernel
Zekun Shen <bruceshenzk@gmail.com> writes:
> On Fri, Oct 29, 2021 at 06:53:30AM +0300, Kalle Valo wrote:
>> Zekun Shen <bruceshenzk@gmail.com> writes:
>>
>> > Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
>> > when ar->tx_cmd->odata is NULL. The patch adds a null check to
>> > prevent such case.
>> >
>> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
>> > ar5523_cmd+0x46a/0x581 [ar5523]
>> > ar5523_probe.cold+0x1b7/0x18da [ar5523]
>> > ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
>> > ? __pm_runtime_set_status+0x54a/0x8f0
>> > ? _raw_spin_trylock_bh+0x120/0x120
>> > ? pm_runtime_barrier+0x220/0x220
>> > ? __pm_runtime_resume+0xb1/0xf0
>> > usb_probe_interface+0x25b/0x710
>> > really_probe+0x209/0x5d0
>> > driver_probe_device+0xc6/0x1b0
>> > device_driver_attach+0xe2/0x120
>> >
>> > Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
>>
>> How did you test this?
>
> I found the bug using a custome USBFuzz port. It's a research work
> to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
> providing hand-crafted usb descriptors to QEMU.
>
> After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START,
> I got the null-ptr-deref bug. I believe the bug is triggerable whenever
> cmd->odata is NULL. After patching, I tested with the same input and no
> longer see the KASAN report.
Ok, so you didn't test this on a real device at all. I'll mention that
in the commit log and also copy what you wrote above.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
2021-10-28 22:37 [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Zekun Shen
2021-10-29 3:53 ` Kalle Valo
@ 2021-11-12 7:54 ` Kalle Valo
1 sibling, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2021-11-12 7:54 UTC (permalink / raw)
To: Zekun Shen
Cc: bruceshenzk, Pontus Fuchs, David S. Miller, Jakub Kicinski,
linux-wireless, netdev, linux-kernel
Zekun Shen <bruceshenzk@gmail.com> wrote:
> Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
> when ar->tx_cmd->odata is NULL. The patch adds a null check to
> prevent such case.
>
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> ar5523_cmd+0x46a/0x581 [ar5523]
> ar5523_probe.cold+0x1b7/0x18da [ar5523]
> ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
> ? __pm_runtime_set_status+0x54a/0x8f0
> ? _raw_spin_trylock_bh+0x120/0x120
> ? pm_runtime_barrier+0x220/0x220
> ? __pm_runtime_resume+0xb1/0xf0
> usb_probe_interface+0x25b/0x710
> really_probe+0x209/0x5d0
> driver_probe_device+0xc6/0x1b0
> device_driver_attach+0xe2/0x120
>
> I found the bug using a custome USBFuzz port. It's a research work
> to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
> providing hand-crafted usb descriptors to QEMU.
>
> After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START,
> I got the null-ptr-deref bug. I believe the bug is triggerable whenever
> cmd->odata is NULL. After patching, I tested with the same input and no
> longer see the KASAN report.
>
> This was NOT tested on a real device.
>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
ae80b6033834 ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
--
https://patchwork.kernel.org/project/linux-wireless/patch/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-11-12 7:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-28 22:37 [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Zekun Shen
2021-10-29 3:53 ` Kalle Valo
2021-10-29 13:53 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply^[ Zekun Shen
2021-11-10 14:56 ` Kalle Valo
2021-11-12 7:54 ` [PATCH] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.