[v2] wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Commit Message

Jeongjun Park Sept. 9, 2024, 10:38 a.m. UTC

I found the following bug in my fuzzer:

  UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
  index 255 is out of range for type 'htc_endpoint [22]'
  CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
  Workqueue: events request_firmware_work_func
  Call Trace:
   <TASK>
   dump_stack_lvl+0x180/0x1b0
   __ubsan_handle_out_of_bounds+0xd4/0x130
   htc_issue_send.constprop.0+0x20c/0x230
   ? _raw_spin_unlock_irqrestore+0x3c/0x70
   ath9k_wmi_cmd+0x41d/0x610
   ? mark_held_locks+0x9f/0xe0
   ...

Since this bug has been confirmed to be caused by insufficient verification 
of conn_rsp_epid, I think it would be appropriate to add a range check for 
conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
 1 file changed, 3 insertions(+)

--

Comments

Toke Høiland-Jørgensen Sept. 9, 2024, 11:23 a.m. UTC | #1

Jeongjun Park <aha310510@gmail.com> writes:

> I found the following bug in my fuzzer:
>
>   UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>   index 255 is out of range for type 'htc_endpoint [22]'
>   CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>   Workqueue: events request_firmware_work_func
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x180/0x1b0
>    __ubsan_handle_out_of_bounds+0xd4/0x130
>    htc_issue_send.constprop.0+0x20c/0x230
>    ? _raw_spin_unlock_irqrestore+0x3c/0x70
>    ath9k_wmi_cmd+0x41d/0x610
>    ? mark_held_locks+0x9f/0xe0
>    ...
>
> Since this bug has been confirmed to be caused by insufficient verification 
> of conn_rsp_epid, I think it would be appropriate to add a range check for 
> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>

Kalle Valo Sept. 14, 2024, 11:46 a.m. UTC | #2

Jeongjun Park <aha310510@gmail.com> wrote:

> I found the following bug in my fuzzer:
> 
>   UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>   index 255 is out of range for type 'htc_endpoint [22]'
>   CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>   Workqueue: events request_firmware_work_func
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x180/0x1b0
>    __ubsan_handle_out_of_bounds+0xd4/0x130
>    htc_issue_send.constprop.0+0x20c/0x230
>    ? _raw_spin_unlock_irqrestore+0x3c/0x70
>    ath9k_wmi_cmd+0x41d/0x610
>    ? mark_held_locks+0x9f/0xe0
>    ...
> 
> Since this bug has been confirmed to be caused by insufficient verification
> of conn_rsp_epid, I think it would be appropriate to add a range check for
> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
> 
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>

Patch applied to ath-next branch of ath.git, thanks.

8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Jeongjun Park Oct. 22, 2024, 12:36 a.m. UTC | #3

> Kalle Valo <kvalo@kernel.org> wrote:
> 
> Jeongjun Park <aha310510@gmail.com> wrote:
> 
>> I found the following bug in my fuzzer:
>> 
>>  UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>  index 255 is out of range for type 'htc_endpoint [22]'
>>  CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>  Workqueue: events request_firmware_work_func
>>  Call Trace:
>>   <TASK>
>>   dump_stack_lvl+0x180/0x1b0
>>   __ubsan_handle_out_of_bounds+0xd4/0x130
>>   htc_issue_send.constprop.0+0x20c/0x230
>>   ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>   ath9k_wmi_cmd+0x41d/0x610
>>   ? mark_held_locks+0x9f/0xe0
>>   ...
>> 
>> Since this bug has been confirmed to be caused by insufficient verification
>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>> 
>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
> 
> Patch applied to ath-next branch of ath.git, thanks.
> 

I think this patch should be applied to the next rc version immediately
to fix the oob vulnerability as soon as possible, and also to the 
stable version.

Regards,

Jeongjun Park

> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
> 
> --
> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
> 
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
> https://docs.kernel.org/process/submitting-patches.html
>

Jeongjun Park Oct. 22, 2024, 12:39 a.m. UTC | #4

> Jeongjun Park <aha310510@gmail.com> wrote:
> 
> 
> 
>> Kalle Valo <kvalo@kernel.org> wrote:
>> 
>> Jeongjun Park <aha310510@gmail.com> wrote:
>> 
>>> I found the following bug in my fuzzer:
>>> 
>>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>> index 255 is out of range for type 'htc_endpoint [22]'
>>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>> Workqueue: events request_firmware_work_func
>>> Call Trace:
>>>  <TASK>
>>>  dump_stack_lvl+0x180/0x1b0
>>>  __ubsan_handle_out_of_bounds+0xd4/0x130
>>>  htc_issue_send.constprop.0+0x20c/0x230
>>>  ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>>  ath9k_wmi_cmd+0x41d/0x610
>>>  ? mark_held_locks+0x9f/0xe0
>>>  ...
>>> 
>>> Since this bug has been confirmed to be caused by insufficient verification
>>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>> 
>>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
>> 
>> Patch applied to ath-next branch of ath.git, thanks.
>> 
> 

Cc: <stable@vger.kernel.org>

> I think this patch should be applied to the next rc version immediately
> to fix the oob vulnerability as soon as possible, and also to the
> stable version.
> 
> Regards,
> 
> Jeongjun Park
> 
>> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
>> 
>> --
>> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
>> 
>> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
>> https://docs.kernel.org/process/submitting-patches.html
>>

Kalle Valo Oct. 22, 2024, 7:02 a.m. UTC | #5

Jeongjun Park <aha310510@gmail.com> writes:

>> Kalle Valo <kvalo@kernel.org> wrote:
>> 
>> Jeongjun Park <aha310510@gmail.com> wrote:
>> 
>>> I found the following bug in my fuzzer:
>>> 
>>>  UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>>  index 255 is out of range for type 'htc_endpoint [22]'
>>>  CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>>  Workqueue: events request_firmware_work_func
>>>  Call Trace:
>>>   <TASK>
>>>   dump_stack_lvl+0x180/0x1b0
>>>   __ubsan_handle_out_of_bounds+0xd4/0x130
>>>   htc_issue_send.constprop.0+0x20c/0x230
>>>   ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>>   ath9k_wmi_cmd+0x41d/0x610
>>>   ? mark_held_locks+0x9f/0xe0
>>>   ...
>>> 
>>> Since this bug has been confirmed to be caused by insufficient verification
>>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>> 
>>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
>> 
>> Patch applied to ath-next branch of ath.git, thanks.
>> 
>
> I think this patch should be applied to the next rc version immediately
> to fix the oob vulnerability as soon as possible, and also to the 
> stable version.

ath-next is fine, the issue has been in ath9k forever so waiting four
weeks or so to get to Linus' tree is not making any difference.

Patch

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..b5257b2b4aa5 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -294,6 +294,9 @@  int htc_connect_service(struct htc_target *target,
 		return -ETIMEDOUT;
 	}
 
+	if (target->conn_rsp_epid < 0 || target->conn_rsp_epid >= ENDPOINT_MAX)
+		return -EINVAL;
+
 	*conn_rsp_epid = target->conn_rsp_epid;
 	return 0;
 err: