drivers/net/wireless/ath/ath5k/eeprom.c | 3 +++ 1 file changed, 3 insertions(+)
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
---
drivers/net/wireless/ath/ath5k/eeprom.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c
index 1fbc2c198..d444b3d70 100644
--- a/drivers/net/wireless/ath/ath5k/eeprom.c
+++ b/drivers/net/wireless/ath/ath5k/eeprom.c
@@ -746,6 +746,9 @@ ath5k_eeprom_convert_pcal_info_5111(struct ath5k_hw *ah, int mode,
}
}
+ if (idx == AR5K_EEPROM_N_PD_CURVES)
+ goto err_out;
+
ee->ee_pd_gains[mode] = 1;
pd = &chinfo[pier].pd_curves[idx];
--
2.25.1
On Sun, Dec 26, 2021 at 10:12:13PM -0500, Zekun Shen wrote: > The bug was found during fuzzing. Stacktrace locates it in > ath5k_eeprom_convert_pcal_info_5111. > When none of the curve is selected in the loop, idx can go > up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. > pd = &chinfo[pier].pd_curves[idx]; > > There are many OOB writes using pd later in the code. So I > added a sanity check for idx. Checks for other loops involving > AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not > used outside the loops. > > The patch is NOT tested with real device. > > The following is the fuzzing report > > BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 > > CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 > Call Trace: > dump_stack+0x76/0xa0 > print_address_description.constprop.0+0x16/0x200 > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > __kasan_report.cold+0x37/0x7c > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > kasan_report+0xe/0x20 > ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > ? apic_timer_interrupt+0xa/0x20 > ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] > ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] > ath5k_eeprom_init+0x2513/0x6290 [ath5k] > ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] > ? usleep_range+0xb8/0x100 > ? apic_timer_interrupt+0xa/0x20 > ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] > ath5k_hw_init+0xb60/0x1970 [ath5k] > ath5k_init_ah+0x6fe/0x2530 [ath5k] > ? kasprintf+0xa6/0xe0 > ? ath5k_stop+0x140/0x140 [ath5k] > ? _dev_notice+0xf6/0xf6 > ? apic_timer_interrupt+0xa/0x20 > ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] > ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] > ? mutex_lock+0x89/0xd0 > ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] > local_pci_probe+0xd3/0x160 > pci_device_probe+0x23f/0x3e0 > ? pci_device_remove+0x280/0x280 > ? pci_device_remove+0x280/0x280 > really_probe+0x209/0x5d0 > > Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu> > Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Acked-by: Luis Chamberlain <mcgrof@kernel.org> Luis
Zekun Shen <bruceshenzk@gmail.com> wrote: > The bug was found during fuzzing. Stacktrace locates it in > ath5k_eeprom_convert_pcal_info_5111. > When none of the curve is selected in the loop, idx can go > up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. > pd = &chinfo[pier].pd_curves[idx]; > > There are many OOB writes using pd later in the code. So I > added a sanity check for idx. Checks for other loops involving > AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not > used outside the loops. > > The patch is NOT tested with real device. > > The following is the fuzzing report > > BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 > > CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 > Call Trace: > dump_stack+0x76/0xa0 > print_address_description.constprop.0+0x16/0x200 > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > __kasan_report.cold+0x37/0x7c > ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > kasan_report+0xe/0x20 > ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] > ? apic_timer_interrupt+0xa/0x20 > ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] > ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] > ath5k_eeprom_init+0x2513/0x6290 [ath5k] > ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] > ? usleep_range+0xb8/0x100 > ? apic_timer_interrupt+0xa/0x20 > ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] > ath5k_hw_init+0xb60/0x1970 [ath5k] > ath5k_init_ah+0x6fe/0x2530 [ath5k] > ? kasprintf+0xa6/0xe0 > ? ath5k_stop+0x140/0x140 [ath5k] > ? _dev_notice+0xf6/0xf6 > ? apic_timer_interrupt+0xa/0x20 > ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] > ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] > ? mutex_lock+0x89/0xd0 > ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] > local_pci_probe+0xd3/0x160 > pci_device_probe+0x23f/0x3e0 > ? pci_device_remove+0x280/0x280 > ? pci_device_remove+0x280/0x280 > really_probe+0x209/0x5d0 > > Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu> > Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-next branch of ath.git, thanks. 564d4eceb97e ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 -- https://patchwork.kernel.org/project/linux-wireless/patch/YckvDdj3mtCkDRIt@a-10-27-26-18.dynapool.vpn.nyu.edu/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
© 2016 - 2026 Red Hat, Inc.