| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 30 May 2021 12:00:53 +0300
From: Kalle Valo <kvalo@...eaurora.org>
To: Phillip Potter <phil@...lpotter.co.uk>
Cc: davem@...emloft.net, kuba@...nel.org,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, ath9k-devel@....qualcomm.com,
fw@...len.de
Subject: Re: [PATCH v2] ath9k: ath9k_htc_rx_msg: return when sk_buff is too small
Phillip Potter <phil@...lpotter.co.uk> writes:
> At the start of ath9k_htc_rx_msg, we check to see if the skb pointer is
> valid, but what we don't do is check if it is large enough to contain a
> valid struct htc_frame_hdr. We should check for this and return if not,
> as the buffer is invalid in this case. Fixes a KMSAN-found uninit-value bug
> reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=7dccb7d9ad4251df1c49f370607a49e1f09644ee
>
> Reported-by: syzbot+e4534e8c1c382508312c@...kaller.appspotmail.com
> Signed-off-by: Phillip Potter <phil@...lpotter.co.uk>
> ---
>
> V2:
> * Free skb properly when this problem is detected, as pointed out by
> Florian Westphal.
>
> ---
> drivers/net/wireless/ath/ath9k/htc_hst.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> index 510e61e97dbc..1fe89b068ac4 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> @@ -406,6 +406,11 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
> if (!htc_handle || !skb)
> return;
>
> + if (!pskb_may_pull(skb, sizeof(struct htc_frame_hdr))) {
> + kfree_skb(skb);
> + return;
> + }
This does not look complete to me, I think the function is missing
proper length checks. For example, with ENDPOINT0 it reads two byte
msg_id after the htc header and it's not verified that skb really has
that. I did not check if ep_callbacks.rx handlers have proper length
handling, I recommend verifying that also while fixing this.
Also I want to point out that the skb is freed differently based on
endpoint, I did not check why and don't know if it causes:
if (epid < 0 || epid >= ENDPOINT_MAX) {
if (pipe_id != USB_REG_IN_PIPE)
dev_kfree_skb_any(skb);
else
kfree_skb(skb);
return;
}
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Powered by blists - more mailing lists