| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_38BA83BB7233789ED71B8B4B181BD325F208@qq.com>
Date: Thu, 21 Mar 2024 09:39:41 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+93cbd5fbb85814306ba1@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send
please test oob in htc_issue_send
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 805ad31edba2..5d531aacedbc 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -275,6 +275,7 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,
connect.service_id = WMI_CONTROL_SVC;
ret = htc_connect_service(htc, &connect, &wmi->ctrl_epid);
+ printk("ret: %d, wmi: %p, epid: %d, %s\n", ret, wmi, wmi->ctrl_epid, __func__);
if (ret)
return ret;
@@ -304,6 +305,9 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,
wmi->last_seq_id = wmi->tx_seq_id;
spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+ printk("wmi: %p, epid: %d, %s\n", wmi, wmi->ctrl_epid, __func__);
+ if (wmi->ctrl_epid < 0 || wmi->ctrl_epid > ENDPOINT_MAX)
+ return -EINVAL;
return htc_send_epid(wmi->htc, skb, wmi->ctrl_epid);
}
Powered by blists - more mailing lists