| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210502202827.GG975@breakpoint.cc>
Date: Sun, 2 May 2021 22:28:27 +0200
From: Florian Westphal <fw@...len.de>
To: Phillip Potter <phil@...lpotter.co.uk>
Cc: kvalo@...eaurora.org, davem@...emloft.net, kuba@...nel.org,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, ath9k-devel@....qualcomm.com
Subject: Re: [PATCH] ath9k: ath9k_htc_rx_msg: return when sk_buff is too small
Phillip Potter <phil@...lpotter.co.uk> wrote:
> At the start of ath9k_htc_rx_msg, we check to see if the skb pointer is
> valid, but what we don't do is check if it is large enough to contain a
> valid struct htc_frame_hdr. We should check for this and return, as the
> buffer is invalid in this case. Fixes a KMSAN-found uninit-value bug
> reported by syzbot at:
> https://syzkaller.appspot.com/bug?id=7dccb7d9ad4251df1c49f370607a49e1f09644ee
>
> Reported-by: syzbot+e4534e8c1c382508312c@...kaller.appspotmail.com
> Signed-off-by: Phillip Potter <phil@...lpotter.co.uk>
> ---
> drivers/net/wireless/ath/ath9k/htc_hst.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> index 510e61e97dbc..9dbfff7a388e 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> @@ -403,7 +403,7 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
> struct htc_endpoint *endpoint;
> __be16 *msg_id;
>
> - if (!htc_handle || !skb)
> + if (!htc_handle || !skb || !pskb_may_pull(skb, sizeof(struct htc_frame_hdr)))
> return;
This leaks the skb.
Powered by blists - more mailing lists