From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zekun Shen <bruceshenzk@gmail.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
ath9k-devel@qca.qualcomm.com, kvalo@kernel.org,
davem@davemloft.net, kuba@kernel.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 077/116] ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
Date: Mon, 17 Jan 2022 21:39:28 -0500 [thread overview]
Message-ID: <20220118024007.1950576-77-sashal@kernel.org> (raw)
In-Reply-To: <20220118024007.1950576-1-sashal@kernel.org>
From: Zekun Shen <bruceshenzk@gmail.com>
[ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ]
Large pkt_len can lead to out-out-bound memcpy. Current
ath9k_hif_usb_rx_stream allows combining the content of two urb
inputs to one pkt. The first input can indicate the size of the
pkt. Any remaining size is saved in hif_dev->rx_remain_len.
While processing the next input, memcpy is used with rx_remain_len.
4-byte pkt_len can go up to 0xffff, while a single input is 0x4000
maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for
pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE.
BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
<IRQ>
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
__kasan_report.cold+0x37/0x7c
? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
kasan_report+0xe/0x20
check_memory_region+0x15a/0x1d0
memcpy+0x20/0x50
ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc]
? _raw_spin_lock_irqsave+0x7b/0xd0
? _raw_spin_trylock_bh+0x120/0x120
? __usb_unanchor_urb+0x12f/0x210
__usb_hcd_giveback_urb+0x1e4/0x380
usb_giveback_urb_bh+0x241/0x4f0
? __hrtimer_run_queues+0x316/0x740
? __usb_hcd_giveback_urb+0x380/0x380
tasklet_action_common.isra.0+0x135/0x330
__do_softirq+0x18c/0x634
irq_exit+0x114/0x140
smp_apic_timer_interrupt+0xde/0x380
apic_timer_interrupt+0xf/0x20
I found the bug using a custome USBFuzz port. It's a research work
to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
providing hand-crafted usb descriptors to QEMU.
After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU
emulation, I found the KASAN report. The bug is triggerable whenever
pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes
to test the driver works when applying the patch.
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 860da13bfb6ac..f06eec99de688 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -590,6 +590,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev,
return;
}
+ if (pkt_len > 2 * MAX_RX_BUF_SIZE) {
+ dev_err(&hif_dev->udev->dev,
+ "ath9k_htc: invalid pkt_len (%x)\n", pkt_len);
+ RX_STAT_INC(skb_dropped);
+ return;
+ }
+
pad_len = 4 - (pkt_len & 0x3);
if (pad_len == 4)
pad_len = 0;
--
2.34.1
next prev parent reply other threads:[~2022-01-18 3:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220118024007.1950576-1-sashal@kernel.org>
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 006/116] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Sasha Levin
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 015/116] ath11k: Fix crash caused by uninitialized TX ring Sasha Levin
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 031/116] mwifiex: Fix skb_over_panic in mwifiex_usb_recv() Sasha Levin
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 032/116] rsi: Fix use-after-free in rsi_rx_done_handler() Sasha Levin
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 033/116] rsi: Fix out-of-bounds read in rsi_read_pkt() Sasha Levin
2022-01-18 2:38 ` [PATCH AUTOSEL 5.10 034/116] ath11k: Avoid NULL ptr access during mgmt tx cleanup Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 050/116] iwlwifi: mvm: synchronize with FW after multicast commands Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 051/116] iwlwifi: mvm: avoid clearing a just saved session protection id Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 053/116] ath11k: avoid deadlock by change ieee80211_queue_work for regd_update_work Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 054/116] ath10k: Fix tx hanging Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 060/116] ath11k: Avoid false DEADLOCK warning reported by lockdep Sasha Levin
2022-01-18 2:39 ` Sasha Levin [this message]
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 078/116] rtw88: 8822c: update rx settings to prevent potential hw deadlock Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 080/116] iwlwifi: fix leaks/bad data after failed firmware load Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 081/116] iwlwifi: remove module loading failure message Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 082/116] iwlwifi: mvm: Fix calculation of frame length Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 083/116] iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 085/116] ath11k: Fix napi related hang Sasha Levin
2022-01-18 2:39 ` [PATCH AUTOSEL 5.10 102/116] mac80211: allow non-standard VHT MCS-10/11 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220118024007.1950576-77-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath9k-devel@qca.qualcomm.com \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=quic_kvalo@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).