lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_C6AB9264DD87DDB41946CFFA8DAA25B10D07@qq.com>
Date: Thu, 21 Mar 2024 09:15:22 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+93cbd5fbb85814306ba1@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 805ad31edba2..5d531aacedbc 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -275,6 +275,7 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,
 	connect.service_id = WMI_CONTROL_SVC;
 
 	ret = htc_connect_service(htc, &connect, &wmi->ctrl_epid);
+	printk("ret: %d, wmi: %p, epid: %d, %s\n", ret, wmi, wmi->ctrl_epid, __func__);
 	if (ret)
 		return ret;
 
@@ -304,6 +305,9 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,
 	wmi->last_seq_id = wmi->tx_seq_id;
 	spin_unlock_irqrestore(&wmi->wmi_lock, flags);
 
+	printk("wmi: %p, epid: %d, %s\n", wmi, wmi->ctrl_epid, __func__);
+	if (wmi->ctrl_epid < 0 || wmi->ctrl_epid > ENDPOINT_MAX)
+		return -EINVAL;
 	return htc_send_epid(wmi->htc, skb, wmi->ctrl_epid);
 }
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ