lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_F3E6370A4B6C7467779367AE3CB3363E9609@qq.com>
Date: Sun, 25 Aug 2024 16:14:17 +0800
From: Edward Adam Davis <eadavis@...com>
To: gregkh@...uxfoundation.org
Cc: eadavis@...com,
	kvalo@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-usb@...r.kernel.org,
	linux-wireless@...r.kernel.org,
	netdev@...r.kernel.org,
	syzbot+92c6dd14aaa230be6855@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] wifi: ath6kl: Check that the read operation returns a data length of 0

On Sun, 25 Aug 2024 09:25:37 +0200, Greg KH wrote:
> > If the data length returned by the device is 0, the read operation
> > should be considered a failure.
> >
> > Reported-and-tested-by: syzbot+92c6dd14aaa230be6855@...kaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@...com>
> > ---
> >  drivers/net/wireless/ath/ath6kl/usb.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
> > index 5220809841a6..2a89bab81b24 100644
> > --- a/drivers/net/wireless/ath/ath6kl/usb.c
> > +++ b/drivers/net/wireless/ath/ath6kl/usb.c
> > @@ -1034,6 +1034,9 @@ static int ath6kl_usb_bmi_read(struct ath6kl *ar, u8 *buf, u32 len)
> >  		ath6kl_err("Unable to read the bmi data from the device: %d\n",
> >  			   ret);
> >  		return ret;
> > +	} else {
> > +		ath6kl_err("Actual read the bmi data length is 0 from the device\n");
> > +		return -EIO;
> 
> Close, but not quite there.  ath6kl_usb_submit_ctrl_in() needs to verify
> that the actual amount of data was read that was asked for.  If a short
> read happens (or a long one), then an error needs to propagate out, not
> just 0.  See the "note:" line in that function for what needs to be
> properly checked.
> 
> hope this helps,
Thanks for your analysis.
I have carefully read your analysis and I am not sure if the following
understanding is appropriate:
diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
index 2a89bab81b24..35884316a8c8 100644
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
@@ -932,6 +932,15 @@ static int ath6kl_usb_submit_ctrl_in(struct ath6kl_usb *ar_usb,

        kfree(buf);

+       /* There are two types of read failure situations that need to be captured:
+        * 1. short read: ret < size && ret >= 0
+        * 2. long read: ret > size
+        * */
+       if (req == ATH6KL_USB_CONTROL_REQ_RECV_BMI_RESP && ret != size) {
+               ath6kl_warn("Actual read the data length is: %d, but input size is %d\n", ret, size);
+               return -EIO;
+       }
+
        return 0;
 }

BR,
Edward

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ