From patchwork Tue Jun 20 01:13:39 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaoqing Pan <miaoqing@codeaurora.org>
X-Patchwork-Id: 9798309
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	62CD860328 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 20 Jun 2017 01:14:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 52F541FEB1
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 20 Jun 2017 01:14:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4785F209D8; Tue, 20 Jun 2017 01:14:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33DA61FEB1
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 20 Jun 2017 01:14:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752774AbdFTBOC (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 19 Jun 2017 21:14:02 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:52348 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752665AbdFTBOB (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Mon, 19 Jun 2017 21:14:01 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id A0550607F4; Tue, 20 Jun 2017 01:14:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1497921240;
	bh=OvaKH0ZrnqD1N8OspMRBunWSizpB8FhRctQ5rVpQ1Z4=;
	h=From:To:Cc:Subject:Date:From;
	b=RCPQ5awUJsta1QV/j7w8owk/JvzrL2yRs3SP4LL2EL+xVlUte21eMNvjuYClnahuR
	8FpBKg7bAnBtpqhPnrrhF/tTBd/NOQn8bEp8Y9ipOleiwlzLf42CKW06I39cpoTCpX
	ZfWmESNilYqpJPyATngYrGZQCkabUNUV/5kaENO8=
Received: from smtp.codeaurora.org (unknown [180.166.53.21])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: miaoqing@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id B945A607F4;
	Tue, 20 Jun 2017 01:13:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1497921239;
	bh=OvaKH0ZrnqD1N8OspMRBunWSizpB8FhRctQ5rVpQ1Z4=;
	h=From:To:Cc:Subject:Date:From;
	b=moRrbhcfHnUqFZBdqxuJogqSmsxcJxe5yGd5Z69TjK0AKaemA8NseRw6Cu47t7zPe
	KNhjYiHtpP6cuoro2d0hFN2I/d4fx5rwHMstObuaDa1FKsEM0rKfPgqPAabwE04/0d
	Ho/lWF53b6XYTCigpGGZH+0zom4AD5b1BADOXnfg=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org B945A607F4
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none)
	header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=miaoqing@codeaurora.org
Received: by smtp.codeaurora.org (sSMTP sendmail emulation);
	Tue, 20 Jun 2017 09:13:42 +0800
From: miaoqing@codeaurora.org
To: kvalo@qca.qualcomm.com
Cc: linux-wireless@vger.kernel.org, ath9k-devel@qca.qualcomm.com,
	sssa@qti.qualcomm.com, Miaoqing Pan <miaoqing@codeaurora.org>
Subject: [PATCH 1/2] ath9k: fix tx99 use after free
Date: Tue, 20 Jun 2017 09:13:39 +0800
Message-Id: <1497921220-12940-1-git-send-email-miaoqing@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Miaoqing Pan <miaoqing@codeaurora.org>

One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc->tx99_state to true
after allocating sc->tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc->tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
that would make use of the freed sc->tx99_skb memory.

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
---
 drivers/net/wireless/ath/ath9k/tx99.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c
index a866cbd..49ed1af 100644
--- a/drivers/net/wireless/ath/ath9k/tx99.c
+++ b/drivers/net/wireless/ath/ath9k/tx99.c
@@ -189,22 +189,27 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
 	if (strtobool(buf, &start))
 		return -EINVAL;
 
+	mutex_lock(&sc->mutex);
+
 	if (start == sc->tx99_state) {
 		if (!start)
-			return count;
+			goto out;
 		ath_dbg(common, XMIT, "Resetting TX99\n");
 		ath9k_tx99_deinit(sc);
 	}
 
 	if (!start) {
 		ath9k_tx99_deinit(sc);
-		return count;
+		goto out;
 	}
 
 	r = ath9k_tx99_init(sc);
-	if (r)
+	if (r) {
+		mutex_unlock(&sc->mutex);
 		return r;
-
+	}
+out:
+	mutex_unlock(&sc->mutex);
 	return count;
 }