drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++ 1 file changed, 3 insertions(+)
I found the following bug in my fuzzer:
UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
index 255 is out of range for type 'htc_endpoint [22]'
CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
<TASK>
dump_stack_lvl+0x180/0x1b0
__ubsan_handle_out_of_bounds+0xd4/0x130
htc_issue_send.constprop.0+0x20c/0x230
? _raw_spin_unlock_irqrestore+0x3c/0x70
ath9k_wmi_cmd+0x41d/0x610
? mark_held_locks+0x9f/0xe0
...
Since this bug has been confirmed to be caused by insufficient verification
of conn_rsp_epid, I think it would be appropriate to add a range check for
conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..b5257b2b4aa5 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -294,6 +294,9 @@ int htc_connect_service(struct htc_target *target,
return -ETIMEDOUT;
}
+ if (target->conn_rsp_epid < 0 || target->conn_rsp_epid >= ENDPOINT_MAX)
+ return -EINVAL;
+
*conn_rsp_epid = target->conn_rsp_epid;
return 0;
err:
--Jeongjun Park <aha310510@gmail.com> wrote:
> I found the following bug in my fuzzer:
>
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
> index 255 is out of range for type 'htc_endpoint [22]'
> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: events request_firmware_work_func
> Call Trace:
> <TASK>
> dump_stack_lvl+0x180/0x1b0
> __ubsan_handle_out_of_bounds+0xd4/0x130
> htc_issue_send.constprop.0+0x20c/0x230
> ? _raw_spin_unlock_irqrestore+0x3c/0x70
> ath9k_wmi_cmd+0x41d/0x610
> ? mark_held_locks+0x9f/0xe0
> ...
>
> Since this bug has been confirmed to be caused by insufficient verification
> of conn_rsp_epid, I think it would be appropriate to add a range check for
> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Patch applied to ath-next branch of ath.git, thanks.
8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
--
https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
https://docs.kernel.org/process/submitting-patches.html
> Kalle Valo <kvalo@kernel.org> wrote:
>
> Jeongjun Park <aha310510@gmail.com> wrote:
>
>> I found the following bug in my fuzzer:
>>
>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>> index 255 is out of range for type 'htc_endpoint [22]'
>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>> Workqueue: events request_firmware_work_func
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x180/0x1b0
>> __ubsan_handle_out_of_bounds+0xd4/0x130
>> htc_issue_send.constprop.0+0x20c/0x230
>> ? _raw_spin_unlock_irqrestore+0x3c/0x70
>> ath9k_wmi_cmd+0x41d/0x610
>> ? mark_held_locks+0x9f/0xe0
>> ...
>>
>> Since this bug has been confirmed to be caused by insufficient verification
>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>
>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
>
> Patch applied to ath-next branch of ath.git, thanks.
>
I think this patch should be applied to the next rc version immediately
to fix the oob vulnerability as soon as possible, and also to the
stable version.
Regards,
Jeongjun Park
> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
>
> --
> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
>
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
> https://docs.kernel.org/process/submitting-patches.html
>
Jeongjun Park <aha310510@gmail.com> writes:
>> Kalle Valo <kvalo@kernel.org> wrote:
>>
>> Jeongjun Park <aha310510@gmail.com> wrote:
>>
>>> I found the following bug in my fuzzer:
>>>
>>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>> index 255 is out of range for type 'htc_endpoint [22]'
>>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>> Workqueue: events request_firmware_work_func
>>> Call Trace:
>>> <TASK>
>>> dump_stack_lvl+0x180/0x1b0
>>> __ubsan_handle_out_of_bounds+0xd4/0x130
>>> htc_issue_send.constprop.0+0x20c/0x230
>>> ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>> ath9k_wmi_cmd+0x41d/0x610
>>> ? mark_held_locks+0x9f/0xe0
>>> ...
>>>
>>> Since this bug has been confirmed to be caused by insufficient verification
>>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>>
>>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
>>
>> Patch applied to ath-next branch of ath.git, thanks.
>>
>
> I think this patch should be applied to the next rc version immediately
> to fix the oob vulnerability as soon as possible, and also to the
> stable version.
ath-next is fine, the issue has been in ath9k forever so waiting four
weeks or so to get to Linus' tree is not making any difference.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
> Jeongjun Park <aha310510@gmail.com> wrote:
>
>
>
>> Kalle Valo <kvalo@kernel.org> wrote:
>>
>> Jeongjun Park <aha310510@gmail.com> wrote:
>>
>>> I found the following bug in my fuzzer:
>>>
>>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
>>> index 255 is out of range for type 'htc_endpoint [22]'
>>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>>> Workqueue: events request_firmware_work_func
>>> Call Trace:
>>> <TASK>
>>> dump_stack_lvl+0x180/0x1b0
>>> __ubsan_handle_out_of_bounds+0xd4/0x130
>>> htc_issue_send.constprop.0+0x20c/0x230
>>> ? _raw_spin_unlock_irqrestore+0x3c/0x70
>>> ath9k_wmi_cmd+0x41d/0x610
>>> ? mark_held_locks+0x9f/0xe0
>>> ...
>>>
>>> Since this bug has been confirmed to be caused by insufficient verification
>>> of conn_rsp_epid, I think it would be appropriate to add a range check for
>>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>>>
>>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
>>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
>>
>> Patch applied to ath-next branch of ath.git, thanks.
>>
>
Cc: <stable@vger.kernel.org>
> I think this patch should be applied to the next rc version immediately
> to fix the oob vulnerability as soon as possible, and also to the
> stable version.
>
> Regards,
>
> Jeongjun Park
>
>> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
>>
>> --
>> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68006-1-aha310510@gmail.com/
>>
>> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
>> https://docs.kernel.org/process/submitting-patches.html
>>
Jeongjun Park <aha310510@gmail.com> writes:
> I found the following bug in my fuzzer:
>
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
> index 255 is out of range for type 'htc_endpoint [22]'
> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: events request_firmware_work_func
> Call Trace:
> <TASK>
> dump_stack_lvl+0x180/0x1b0
> __ubsan_handle_out_of_bounds+0xd4/0x130
> htc_issue_send.constprop.0+0x20c/0x230
> ? _raw_spin_unlock_irqrestore+0x3c/0x70
> ath9k_wmi_cmd+0x41d/0x610
> ? mark_held_locks+0x9f/0xe0
> ...
>
> Since this bug has been confirmed to be caused by insufficient verification
> of conn_rsp_epid, I think it would be appropriate to add a range check for
> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
© 2016 - 2026 Red Hat, Inc.