Linux-Wireless Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
@ 2019-08-04  0:31 Hui Peng
  2019-08-10 10:13 ` Greg KH
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Hui Peng @ 2019-08-04  0:31 UTC (permalink / raw)
  To: kvalo, davem
  Cc: Hui Peng, Mathias Payer, ath10k, linux-wireless, netdev, linux-kernel

The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath10k_usb` object
according to endpoint descriptors read from the device side, as shown
below in `ath10k_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
        endpoint = &iface_desc->endpoint[i].desc;

        // get the address from endpoint descriptor
        pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
                                                endpoint->bEndpointAddress,
                                                &urbcount);
        ......
        // select the pipe object
        pipe = &ar_usb->pipes[pipe_num];

        // initialize the ar_usb field
        pipe->ar_usb = ar_usb;
}

The driver assumes that the addresses reported in endpoint
descriptors from device side  to be complete. If a device is
malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
`ath10k_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
---
 drivers/net/wireless/ath/ath10k/usb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
index e1420f67f776..14d86627b47f 100644
--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -38,6 +38,10 @@ ath10k_usb_alloc_urb_from_pipe(struct ath10k_usb_pipe *pipe)
 	struct ath10k_urb_context *urb_context = NULL;
 	unsigned long flags;
 
+	/* bail if this pipe is not initialized */
+	if (!pipe->ar_usb)
+		return NULL;
+
 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
 	if (!list_empty(&pipe->urb_list_head)) {
 		urb_context = list_first_entry(&pipe->urb_list_head,
@@ -55,6 +59,10 @@ static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe,
 {
 	unsigned long flags;
 
+	/* bail if this pipe is not initialized */
+	if (!pipe->ar_usb)
+		return NULL;
+
 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
 
 	pipe->urb_cnt++;
-- 
2.22.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-08-04  0:31 [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Hui Peng
@ 2019-08-10 10:13 ` Greg KH
  2019-08-31 21:31 ` Guenter Roeck
  2019-09-03 14:14 ` Kalle Valo
  2 siblings, 0 replies; 9+ messages in thread
From: Greg KH @ 2019-08-10 10:13 UTC (permalink / raw)
  To: Hui Peng
  Cc: kvalo, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
> are initialized to point to the containing `ath10k_usb` object
> according to endpoint descriptors read from the device side, as shown
> below in `ath10k_usb_setup_pipe_resources`:
> 
> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>         endpoint = &iface_desc->endpoint[i].desc;
> 
>         // get the address from endpoint descriptor
>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>                                                 endpoint->bEndpointAddress,
>                                                 &urbcount);
>         ......
>         // select the pipe object
>         pipe = &ar_usb->pipes[pipe_num];
> 
>         // initialize the ar_usb field
>         pipe->ar_usb = ar_usb;
> }
> 
> The driver assumes that the addresses reported in endpoint
> descriptors from device side  to be complete. If a device is
> malicious and does not report complete addresses, it may trigger
> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
> `ath10k_usb_free_urb_to_pipe`.
> 
> This patch fixes the bug by preventing potential NULL-ptr-deref.
> 
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-08-04  0:31 [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Hui Peng
  2019-08-10 10:13 ` Greg KH
@ 2019-08-31 21:31 ` Guenter Roeck
  2019-09-01  8:06   ` Kalle Valo
  2019-09-01 19:45   ` Hui Peng
  2019-09-03 14:14 ` Kalle Valo
  2 siblings, 2 replies; 9+ messages in thread
From: Guenter Roeck @ 2019-08-31 21:31 UTC (permalink / raw)
  To: Hui Peng
  Cc: kvalo, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

Hi,

On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
> are initialized to point to the containing `ath10k_usb` object
> according to endpoint descriptors read from the device side, as shown
> below in `ath10k_usb_setup_pipe_resources`:
> 
> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>         endpoint = &iface_desc->endpoint[i].desc;
> 
>         // get the address from endpoint descriptor
>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>                                                 endpoint->bEndpointAddress,
>                                                 &urbcount);
>         ......
>         // select the pipe object
>         pipe = &ar_usb->pipes[pipe_num];
> 
>         // initialize the ar_usb field
>         pipe->ar_usb = ar_usb;
> }
> 
> The driver assumes that the addresses reported in endpoint
> descriptors from device side  to be complete. If a device is
> malicious and does not report complete addresses, it may trigger
> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
> `ath10k_usb_free_urb_to_pipe`.
> 
> This patch fixes the bug by preventing potential NULL-ptr-deref.
> 
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>

This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
next.

Is the patch going to be applied to the upstream kernel anytime soon ? If
not, is there reason to believe that its severity may not be as high as the
CVSS score indicates ?

Thanks,
Guenter

> ---
>  drivers/net/wireless/ath/ath10k/usb.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
> index e1420f67f776..14d86627b47f 100644
> --- a/drivers/net/wireless/ath/ath10k/usb.c
> +++ b/drivers/net/wireless/ath/ath10k/usb.c
> @@ -38,6 +38,10 @@ ath10k_usb_alloc_urb_from_pipe(struct ath10k_usb_pipe *pipe)
>  	struct ath10k_urb_context *urb_context = NULL;
>  	unsigned long flags;
>  
> +	/* bail if this pipe is not initialized */
> +	if (!pipe->ar_usb)
> +		return NULL;
> +
>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>  	if (!list_empty(&pipe->urb_list_head)) {
>  		urb_context = list_first_entry(&pipe->urb_list_head,
> @@ -55,6 +59,10 @@ static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe,
>  {
>  	unsigned long flags;
>  
> +	/* bail if this pipe is not initialized */
> +	if (!pipe->ar_usb)
> +		return NULL;
> +
>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>  
>  	pipe->urb_cnt++;
> -- 
> 2.22.0
> 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-08-31 21:31 ` Guenter Roeck
@ 2019-09-01  8:06   ` Kalle Valo
  2019-10-18  4:05     ` Guenter Roeck
  2019-09-01 19:45   ` Hui Peng
  1 sibling, 1 reply; 9+ messages in thread
From: Kalle Valo @ 2019-09-01  8:06 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: Hui Peng, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

Guenter Roeck <linux@roeck-us.net> writes:

> Hi,
>
> On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
>> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
>> are initialized to point to the containing `ath10k_usb` object
>> according to endpoint descriptors read from the device side, as shown
>> below in `ath10k_usb_setup_pipe_resources`:
>> 
>> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>>         endpoint = &iface_desc->endpoint[i].desc;
>> 
>>         // get the address from endpoint descriptor
>>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>>                                                 endpoint->bEndpointAddress,
>>                                                 &urbcount);
>>         ......
>>         // select the pipe object
>>         pipe = &ar_usb->pipes[pipe_num];
>> 
>>         // initialize the ar_usb field
>>         pipe->ar_usb = ar_usb;
>> }
>> 
>> The driver assumes that the addresses reported in endpoint
>> descriptors from device side  to be complete. If a device is
>> malicious and does not report complete addresses, it may trigger
>> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
>> `ath10k_usb_free_urb_to_pipe`.
>> 
>> This patch fixes the bug by preventing potential NULL-ptr-deref.
>> 
>> Signed-off-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
>
> This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
> and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
> next.
>
> Is the patch going to be applied to the upstream kernel anytime soon ?

Same answer as in patch 1:

https://patchwork.kernel.org/patch/11074655/

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-08-31 21:31 ` Guenter Roeck
  2019-09-01  8:06   ` Kalle Valo
@ 2019-09-01 19:45   ` Hui Peng
  1 sibling, 0 replies; 9+ messages in thread
From: Hui Peng @ 2019-09-01 19:45 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: kvalo, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

On 8/31/19 5:31 PM, Guenter Roeck wrote:
> Hi,
>
> On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
>> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
>> are initialized to point to the containing `ath10k_usb` object
>> according to endpoint descriptors read from the device side, as shown
>> below in `ath10k_usb_setup_pipe_resources`:
>>
>> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>>         endpoint = &iface_desc->endpoint[i].desc;
>>
>>         // get the address from endpoint descriptor
>>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>>                                                 endpoint->bEndpointAddress,
>>                                                 &urbcount);
>>         ......
>>         // select the pipe object
>>         pipe = &ar_usb->pipes[pipe_num];
>>
>>         // initialize the ar_usb field
>>         pipe->ar_usb = ar_usb;
>> }
>>
>> The driver assumes that the addresses reported in endpoint
>> descriptors from device side  to be complete. If a device is
>> malicious and does not report complete addresses, it may trigger
>> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
>> `ath10k_usb_free_urb_to_pipe`.
>>
>> This patch fixes the bug by preventing potential NULL-ptr-deref.
>>
>> Signed-off-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Hui Peng <benquike@gmail.com>
>> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
> and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
> next.
>
> Is the patch going to be applied to the upstream kernel anytime soon ? If
> not, is there reason to believe that its severity may not be as high as the
> CVSS score indicates ?
The score was assigned by MITRE.
Same as previous ones, it is under review, once passed, it will be applied.
> Thanks,
> Guenter
>
>> ---
>>  drivers/net/wireless/ath/ath10k/usb.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
>> index e1420f67f776..14d86627b47f 100644
>> --- a/drivers/net/wireless/ath/ath10k/usb.c
>> +++ b/drivers/net/wireless/ath/ath10k/usb.c
>> @@ -38,6 +38,10 @@ ath10k_usb_alloc_urb_from_pipe(struct ath10k_usb_pipe *pipe)
>>  	struct ath10k_urb_context *urb_context = NULL;
>>  	unsigned long flags;
>>  
>> +	/* bail if this pipe is not initialized */
>> +	if (!pipe->ar_usb)
>> +		return NULL;
>> +
>>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>>  	if (!list_empty(&pipe->urb_list_head)) {
>>  		urb_context = list_first_entry(&pipe->urb_list_head,
>> @@ -55,6 +59,10 @@ static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe,
>>  {
>>  	unsigned long flags;
>>  
>> +	/* bail if this pipe is not initialized */
>> +	if (!pipe->ar_usb)
>> +		return NULL;
>> +
>>  	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
>>  
>>  	pipe->urb_cnt++;
>> -- 
>> 2.22.0
>>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-08-04  0:31 [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Hui Peng
  2019-08-10 10:13 ` Greg KH
  2019-08-31 21:31 ` Guenter Roeck
@ 2019-09-03 14:14 ` Kalle Valo
  2 siblings, 0 replies; 9+ messages in thread
From: Kalle Valo @ 2019-09-03 14:14 UTC (permalink / raw)
  To: Hui Peng
  Cc: davem, Hui Peng, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

Hui Peng <benquike@gmail.com> wrote:

> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
> are initialized to point to the containing `ath10k_usb` object
> according to endpoint descriptors read from the device side, as shown
> below in `ath10k_usb_setup_pipe_resources`:
> 
> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>         endpoint = &iface_desc->endpoint[i].desc;
> 
>         // get the address from endpoint descriptor
>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>                                                 endpoint->bEndpointAddress,
>                                                 &urbcount);
>         ......
>         // select the pipe object
>         pipe = &ar_usb->pipes[pipe_num];
> 
>         // initialize the ar_usb field
>         pipe->ar_usb = ar_usb;
> }
> 
> The driver assumes that the addresses reported in endpoint
> descriptors from device side  to be complete. If a device is
> malicious and does not report complete addresses, it may trigger
> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
> `ath10k_usb_free_urb_to_pipe`.
> 
> This patch fixes the bug by preventing potential NULL-ptr-deref.
> 
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This causes a new warning, please build test your patches.

In file included from ./include/uapi/linux/posix_types.h:5,
                 from ./include/uapi/linux/types.h:14,
                 from ./include/linux/types.h:6,
                 from ./include/linux/list.h:5,
                 from ./include/linux/module.h:9,
                 from drivers/net/wireless/ath/ath10k/usb.c:8:
drivers/net/wireless/ath/ath10k/usb.c: In function 'ath10k_usb_free_urb_to_pipe':
./include/linux/stddef.h:8:14: warning: 'return' with a value, in function returning void
 #define NULL ((void *)0)
              ^
drivers/net/wireless/ath/ath10k/usb.c:64:10: note: in expansion of macro 'NULL'
   return NULL;
          ^~~~
drivers/net/wireless/ath/ath10k/usb.c:57:13: note: declared here
 static void ath10k_usb_free_urb_to_pipe(struct ath10k_usb_pipe *pipe,
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~

Patch set to Changes Requested.

-- 
https://patchwork.kernel.org/patch/11074657/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-09-01  8:06   ` Kalle Valo
@ 2019-10-18  4:05     ` Guenter Roeck
  2019-10-18  7:58       ` Kalle Valo
  0 siblings, 1 reply; 9+ messages in thread
From: Guenter Roeck @ 2019-10-18  4:05 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Hui Peng, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

On Sun, Sep 01, 2019 at 11:06:05AM +0300, Kalle Valo wrote:
> Guenter Roeck <linux@roeck-us.net> writes:
> 
> > Hi,
> >
> > On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
> >> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
> >> are initialized to point to the containing `ath10k_usb` object
> >> according to endpoint descriptors read from the device side, as shown
> >> below in `ath10k_usb_setup_pipe_resources`:
> >> 
> >> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
> >>         endpoint = &iface_desc->endpoint[i].desc;
> >> 
> >>         // get the address from endpoint descriptor
> >>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
> >>                                                 endpoint->bEndpointAddress,
> >>                                                 &urbcount);
> >>         ......
> >>         // select the pipe object
> >>         pipe = &ar_usb->pipes[pipe_num];
> >> 
> >>         // initialize the ar_usb field
> >>         pipe->ar_usb = ar_usb;
> >> }
> >> 
> >> The driver assumes that the addresses reported in endpoint
> >> descriptors from device side  to be complete. If a device is
> >> malicious and does not report complete addresses, it may trigger
> >> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
> >> `ath10k_usb_free_urb_to_pipe`.
> >> 
> >> This patch fixes the bug by preventing potential NULL-ptr-deref.
> >> 
> >> Signed-off-by: Hui Peng <benquike@gmail.com>
> >> Reported-by: Hui Peng <benquike@gmail.com>
> >> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> >
> > This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
> > and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
> > next.
> >
> > Is the patch going to be applied to the upstream kernel anytime soon ?
> 
> Same answer as in patch 1:
> 
> https://patchwork.kernel.org/patch/11074655/
> 

Sorry to bring this up again. The ath6k patch made it into the upstream
kernel, but the ath10k patch didn't. Did it get lost, or was there a
reason not to apply this patch ?

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-10-18  4:05     ` Guenter Roeck
@ 2019-10-18  7:58       ` Kalle Valo
  2019-10-18 13:35         ` Guenter Roeck
  0 siblings, 1 reply; 9+ messages in thread
From: Kalle Valo @ 2019-10-18  7:58 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: Hui Peng, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

Guenter Roeck <linux@roeck-us.net> writes:

> On Sun, Sep 01, 2019 at 11:06:05AM +0300, Kalle Valo wrote:
>> Guenter Roeck <linux@roeck-us.net> writes:
>> 
>> > Hi,
>> >
>> > On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
>> >> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
>> >> are initialized to point to the containing `ath10k_usb` object
>> >> according to endpoint descriptors read from the device side, as shown
>> >> below in `ath10k_usb_setup_pipe_resources`:
>> >> 
>> >> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>> >>         endpoint = &iface_desc->endpoint[i].desc;
>> >> 
>> >>         // get the address from endpoint descriptor
>> >>         pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>> >>                                                 endpoint->bEndpointAddress,
>> >>                                                 &urbcount);
>> >>         ......
>> >>         // select the pipe object
>> >>         pipe = &ar_usb->pipes[pipe_num];
>> >> 
>> >>         // initialize the ar_usb field
>> >>         pipe->ar_usb = ar_usb;
>> >> }
>> >> 
>> >> The driver assumes that the addresses reported in endpoint
>> >> descriptors from device side  to be complete. If a device is
>> >> malicious and does not report complete addresses, it may trigger
>> >> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
>> >> `ath10k_usb_free_urb_to_pipe`.
>> >> 
>> >> This patch fixes the bug by preventing potential NULL-ptr-deref.
>> >> 
>> >> Signed-off-by: Hui Peng <benquike@gmail.com>
>> >> Reported-by: Hui Peng <benquike@gmail.com>
>> >> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
>> >
>> > This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
>> > and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
>> > next.
>> >
>> > Is the patch going to be applied to the upstream kernel anytime soon ?
>> 
>> Same answer as in patch 1:
>> 
>> https://patchwork.kernel.org/patch/11074655/
>> 
>
> Sorry to bring this up again. The ath6k patch made it into the upstream
> kernel, but the ath10k patch didn't. Did it get lost, or was there a
> reason not to apply this patch ?

This patch had a build warning, you can see it from patchwork:

https://patchwork.kernel.org/patch/11074657/

Can someone fix it and resend the patch, please?

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-10-18  7:58       ` Kalle Valo
@ 2019-10-18 13:35         ` Guenter Roeck
  0 siblings, 0 replies; 9+ messages in thread
From: Guenter Roeck @ 2019-10-18 13:35 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Hui Peng, davem, Mathias Payer, ath10k, linux-wireless, netdev,
	linux-kernel

On 10/18/19 12:58 AM, Kalle Valo wrote:
> Guenter Roeck <linux@roeck-us.net> writes:
> 
>> On Sun, Sep 01, 2019 at 11:06:05AM +0300, Kalle Valo wrote:
>>> Guenter Roeck <linux@roeck-us.net> writes:
>>>
>>>> Hi,
>>>>
>>>> On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote:
>>>>> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
>>>>> are initialized to point to the containing `ath10k_usb` object
>>>>> according to endpoint descriptors read from the device side, as shown
>>>>> below in `ath10k_usb_setup_pipe_resources`:
>>>>>
>>>>> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
>>>>>          endpoint = &iface_desc->endpoint[i].desc;
>>>>>
>>>>>          // get the address from endpoint descriptor
>>>>>          pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
>>>>>                                                  endpoint->bEndpointAddress,
>>>>>                                                  &urbcount);
>>>>>          ......
>>>>>          // select the pipe object
>>>>>          pipe = &ar_usb->pipes[pipe_num];
>>>>>
>>>>>          // initialize the ar_usb field
>>>>>          pipe->ar_usb = ar_usb;
>>>>> }
>>>>>
>>>>> The driver assumes that the addresses reported in endpoint
>>>>> descriptors from device side  to be complete. If a device is
>>>>> malicious and does not report complete addresses, it may trigger
>>>>> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
>>>>> `ath10k_usb_free_urb_to_pipe`.
>>>>>
>>>>> This patch fixes the bug by preventing potential NULL-ptr-deref.
>>>>>
>>>>> Signed-off-by: Hui Peng <benquike@gmail.com>
>>>>> Reported-by: Hui Peng <benquike@gmail.com>
>>>>> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
>>>>
>>>> This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0)
>>>> and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux
>>>> next.
>>>>
>>>> Is the patch going to be applied to the upstream kernel anytime soon ?
>>>
>>> Same answer as in patch 1:
>>>
>>> https://patchwork.kernel.org/patch/11074655/
>>>
>>
>> Sorry to bring this up again. The ath6k patch made it into the upstream
>> kernel, but the ath10k patch didn't. Did it get lost, or was there a
>> reason not to apply this patch ?
> 
> This patch had a build warning, you can see it from patchwork:
> 
> https://patchwork.kernel.org/patch/11074657/
> 
> Can someone fix it and resend the patch, please?
> 

Done.

Guenter

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-04  0:31 [PATCH 2/2] Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Hui Peng
2019-08-10 10:13 ` Greg KH
2019-08-31 21:31 ` Guenter Roeck
2019-09-01  8:06   ` Kalle Valo
2019-10-18  4:05     ` Guenter Roeck
2019-10-18  7:58       ` Kalle Valo
2019-10-18 13:35         ` Guenter Roeck
2019-09-01 19:45   ` Hui Peng
2019-09-03 14:14 ` Kalle Valo

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org
	public-inbox-index linux-wireless

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git