lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241206073542.315095-1-dheeraj.linuxdev@gmail.com>
Date: Fri,  6 Dec 2024 13:05:42 +0530
From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@...il.com>
To: kvalo@...nel.org,
	ath12k@...ts.infradead.org
Cc: jjohnson@...nel.org,
	linux-wireless@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@...il.com>
Subject: [PATCH wireless-next] wifi: ath12k: Fix out-of-bounds read

This patch addresses the Out-of-bounds read issue detected by
Coverity (CID 1602214). The function ath12k_mac_vdev_create() accesses
the vif->link_conf array using link_id, which is derived from
arvif->link_id. In cases where arvif->link_id equals 15, the index
exceeds the bounds of the array, which contains only 15 elements.This
results in an out-of-bounds read.

This issue occurs in the following branch of the code:

    if (arvif->link_id == ATH12K_DEFAULT_SCAN_LINK && vif->valid_links)
        link_id = ffs(vif->valid_links) - 1;
    else
        link_id = arvif->link_id;

When arvif->link_id equals 15 and the else branch is taken, link_id is
set to 15.

This patch adds a bounds check to ensure that link_id does not exceed
the valid range of the vif->link_conf array. If the check fails, a
warning is logged, and the function returns an error code (-EINVAL).

Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@...il.com>
---
 drivers/net/wireless/ath/ath12k/mac.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 129607ac6c1a..c19b10e66f4a 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -7725,6 +7725,12 @@ int ath12k_mac_vdev_create(struct ath12k *ar, struct ath12k_link_vif *arvif)
 	else
 		link_id = arvif->link_id;
 
+	if (link_id >= ARRAY_SIZE(vif->link_conf)) {
+		ath12k_warn(ar->ab, "link_id %u exceeds max valid links for vif %pM\n",
+			    link_id, vif->addr);
+		return -EINVAL;
+	}
+
 	link_conf = wiphy_dereference(hw->wiphy, vif->link_conf[link_id]);
 	if (!link_conf) {
 		ath12k_warn(ar->ab, "unable to access bss link conf in vdev create for vif %pM link %u\n",
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ