| Message ID | 20250110115024.1497597-1-dmantipov@yandex.ru (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | wifi: ath10k: add extra output check in ath10k_wmi_event_debug_print() | expand |
Dmitry Antipov <dmantipov@yandex.ru> writes: > In 'ath10k_wmi_event_debug_print()', passing skb of the very weird > layout may produce debug output of the zero length. In such a case, > 'if (skb->data[i - 1] == '\n')' will trigger an access beyond skb data > boundaries. So fix this by adding an extra check whether at least one > byte of the debug output was really emitted. Compile tested only. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Suggested-by: Fedor Pchelkin <pchelkin@ispras.ru> > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Adding ath10k list.
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 5e061f7525a6..ca3237c7d5b0 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -4618,7 +4618,7 @@ void ath10k_wmi_event_debug_print(struct ath10k *ar, struct sk_buff *skb) ath10k_warn(ar, "wmi debug print truncated: %d\n", skb->len); /* for some reason the debug prints end with \n, remove that */ - if (skb->data[i - 1] == '\n') + if (i && skb->data[i - 1] == '\n') i--; /* the last byte is always reserved for the null character */
In 'ath10k_wmi_event_debug_print()', passing skb of the very weird layout may produce debug output of the zero length. In such a case, 'if (skb->data[i - 1] == '\n')' will trigger an access beyond skb data boundaries. So fix this by adding an extra check whether at least one byte of the debug output was really emitted. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Suggested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)