lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <311B4F6D-9D70-44A8-A367-ED2721C58AC4@gmail.com>
Date: Tue, 22 Oct 2024 09:39:47 +0900
From: Jeongjun Park <aha310510@...il.com>
To: Kalle Valo <kvalo@...nel.org>
Cc: toke@...e.dk, Sujith.Manoharan@...eros.com, senthilkumar@...eros.com,
 vasanth@...eros.com, linville@...driver.com, linux-wireless@...r.kernel.org,
 linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH v2] wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()



> Jeongjun Park <aha310510@...il.com> wrote:
> 
> 
> 
>> Kalle Valo <kvalo@...nel.org> wrote:
>> 
>> Jeongjun Park <aha310510@...il.com> wrote:
>> 
>>> I found the following bug in my fuzzer:
>>> 
>>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>> index 255 is out of range for type 'htc_endpoint [22]'
>>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>> Workqueue: events request_firmware_work_func
>>> Call Trace:
>>>  <TASK>
>>>  dump_stack_lvl+0x180/0x1b0
>>>  __ubsan_handle_out_of_bounds+0xd4/0x130
>>>  htc_issue_send.constprop.0+0x20c/0x230
>>>  ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>>  ath9k_wmi_cmd+0x41d/0x610
>>>  ? mark_held_locks+0x9f/0xe0
>>>  ...
>>> 
>>> Since this bug has been confirmed to be caused by insufficient verification
>>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>> 
>>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>>> Signed-off-by: Jeongjun Park <aha310510@...il.com>
>>> Acked-by: Toke Høiland-Jørgensen <toke@...e.dk>
>>> Signed-off-by: Kalle Valo <quic_kvalo@...cinc.com>
>> 
>> Patch applied to ath-next branch of ath.git, thanks.
>> 
> 

Cc: <stable@...r.kernel.org>

> I think this patch should be applied to the next rc version immediately
> to fix the oob vulnerability as soon as possible, and also to the
> stable version.
> 
> Regards,
> 
> Jeongjun Park
> 
>> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
>> 
>> --
>> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
>> 
>> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
>> https://docs.kernel.org/process/submitting-patches.html
>> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ