lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <543fd250-5ac2-46a4-9c7f-e0ec6550b78d@kernel.org>
Date: Wed, 19 Nov 2025 08:17:15 +0100
From: Jiri Slaby <jirislaby@...nel.org>
To: johannes@...solutions.net
Cc: linux-kernel@...r.kernel.org, Vincent Danjean <vdanjean@...ian.org>,
 1119093@...s.debian.org, Salvatore Bonaccorso <carnil@...ian.org>,
 Nick Kossifidis <mickflemm@...il.com>, Luis Chamberlain <mcgrof@...nel.org>,
 linux-wireless@...r.kernel.org
Subject: Re: [PATCH] wifi: ath5k: do not access array OOB

On 19. 11. 25, 8:12, Jiri Slaby (SUSE) wrote:
> Vincent reports:
>> The ath5k driver seems to do an array-index-out-of-bounds access as
>> shown by the UBSAN kernel message:
>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
>> index 4 is out of range for type 'ieee80211_tx_rate [4]'
>> ...
>> Call Trace:
>>   <TASK>
>>   dump_stack_lvl+0x5d/0x80
>>   ubsan_epilogue+0x5/0x2b
>>   __ubsan_handle_out_of_bounds.cold+0x46/0x4b
>>   ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
>>   tasklet_action_common+0xb5/0x1c0
> 
> It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
>     info->status.rates[ts->ts_final_idx + 1].idx = -1;
> with the array defined as:
>     struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
> while the size is:
>     #define IEEE80211_TX_MAX_RATES  4
> is indeed bogus.
> 
> Set this 'idx = -1' sentinel only if the array index is less than the
> array size. As mac80211 will not look at rates beyond the size
> (IEEE80211_TX_MAX_RATES).
> 
> Note: The effect of the OOB write is negligible. It just overwrites the
> next member of info->status, i.e. ack_signal.
> 
> Signed-off-by: Jiri Slaby (SUSE) <jirislaby@...nel.org>
> Reported-by: Vincent Danjean <vdanjean@...ian.org>
> Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
> Closes: https://bugs.debian.org/1119093

I forgot:
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@...r.kernel.org

Do you want me to resend?

> ---
> Cc: 1119093@...s.debian.org
> Cc: Salvatore Bonaccorso <carnil@...ian.org>
> Cc: Nick Kossifidis <mickflemm@...il.com>,
> Cc: Luis Chamberlain <mcgrof@...nel.org>
> Cc: linux-wireless@...r.kernel.org
> ---
>   drivers/net/wireless/ath/ath5k/base.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c
> index 4d88b02ffa79..917e1b087924 100644
> --- a/drivers/net/wireless/ath/ath5k/base.c
> +++ b/drivers/net/wireless/ath/ath5k/base.c
> @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb,
>   	}
>   
>   	info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
> -	info->status.rates[ts->ts_final_idx + 1].idx = -1;
> +	if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
> +		info->status.rates[ts->ts_final_idx + 1].idx = -1;
>   
>   	if (unlikely(ts->ts_status)) {
>   		ah->stats.ack_fail++;

thanks,
-- 
js
suse labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ