| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3ed0ccbf-1ce8-7429-151c-d21eb5311f6a@quicinc.com>
Date: Tue, 10 Dec 2024 12:17:13 +0530
From: Vasanthakumar Thiagarajan <quic_vthiagar@...cinc.com>
To: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@...il.com>,
<kvalo@...nel.org>, <ath12k@...ts.infradead.org>
CC: <jjohnson@...nel.org>, <linux-wireless@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 wireless-next] wifi: ath12k: Fix out-of-bounds read in
ath12k_mac_vdev_create
On 12/7/2024 12:43 PM, Dheeraj Reddy Jonnalagadda wrote:
> Add a bounds check to ath12k_mac_vdev_create() to prevent an out-of-bounds
> read in the vif->link_conf array. The function uses link_id, derived from
> arvif->link_id, to index the array. When link_id equals 15, the index
> exceeds the bounds of the array, which contains only 15 elements.
>
> This issue occurs in the following code branch:
>
> if (arvif->link_id == ATH12K_DEFAULT_SCAN_LINK && vif->valid_links)
> link_id = ffs(vif->valid_links) - 1;
> else
> link_id = arvif->link_id;
>
> When the first condition in the if statement is true and the second
> condition is false, it implies that arvif->link_id equals 15 and
> the else branch is taken, where link_id is set to 15, causing an
> out-of-bounds access when vif->link_conf array is read using link_id
> as index.
Practically this can not happen as ath12k_mac_assign_link_vif() which
retrieves the arvif by link_id before calling ath12k_mac_vdev_create()
sanitizes the link_id when there are no valid_links running for that
vif (!vif->valid_links).
Vasanth
Powered by blists - more mailing lists