[PATCH] ath9k: fix OOB read ar9300_eeprom_restore_internal

[PATCH] ath9k: fix OOB read ar9300_eeprom_restore_internal

[Zekun Shen]

Bad header can have large length field which can cause OOB.
cptr is the last bytes for read, and the eeprom is parsed
from high to low address. The OOB, triggered by the condition
length > cptr could cause memory error with a read on
negative index.

There are some sanity check around length, but it is not
compared with cptr (the remaining bytes). Here, the
corrupted/bad EEPROM can cause panic.

I was able to reproduce the crash, but I cannot find the
log and the reproducer now. After I applied the patch, the
bug is no longer reproducible.

Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
---
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
index b4885a700296..b0a4ca3559fd 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
 			"Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
 			cptr, code, reference, length, major, minor);
 		if ((!AR_SREV_9485(ah) && length >= 1024) ||
-		    (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
+		    (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) ||
+		    (length > cptr)) {
 			ath_dbg(common, EEPROM, "Skipping bad header\n");
 			cptr -= COMP_HDR_LEN;
 			continue;
-- 
2.23.0.rc1

Re: [PATCH] ath9k: fix OOB read ar9300_eeprom_restore_internal

[Kalle Valo]

Zekun Shen <bruceshenzk@gmail.com> wrote:

> Bad header can have large length field which can cause OOB.
> cptr is the last bytes for read, and the eeprom is parsed
> from high to low address. The OOB, triggered by the condition
> length > cptr could cause memory error with a read on
> negative index.
> 
> There are some sanity check around length, but it is not
> compared with cptr (the remaining bytes). Here, the
> corrupted/bad EEPROM can cause panic.
> 
> I was able to reproduce the crash, but I cannot find the
> log and the reproducer now. After I applied the patch, the
> bug is no longer reproducible.
> 
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

23151b9ae79e ath9k: fix OOB read ar9300_eeprom_restore_internal

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH] ath9k: fix OOB read ar9300_eeprom_restore_internal

[Kalle Valo]

+ linux-wireless

Zekun Shen <bruceshenzk@gmail.com> writes:

> Bad header can have large length field which can cause OOB.
> cptr is the last bytes for read, and the eeprom is parsed
> from high to low address. The OOB, triggered by the condition
> length > cptr could cause memory error with a read on
> negative index.
>
> There are some sanity check around length, but it is not
> compared with cptr (the remaining bytes). Here, the
> corrupted/bad EEPROM can cause panic.
>
> I was able to reproduce the crash, but I cannot find the
> log and the reproducer now. After I applied the patch, the
> bug is no longer reproducible.
>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>

Please resubmit and cc linux-wireless list, otherwise patchwork won't
see the patch and then it will be out of my radar.

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches