ath9k: fix OOB read ar9300_eeprom_restore_internal

stable inclusion from stable-5.10.67 commit aa3708236ea011adee77af428f21ba30becd0ba3 bugzilla: 182619 https://gitee.com/openeuler/kernel/issues/I4EWO7 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa3708236ea011adee77af428f21ba30becd0ba3 -------------------------------- [ Upstream commit 23151b9a ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: N Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.homeSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ath9k: fix OOB read ar9300_eeprom_restore_internal
stable inclusion from stable-5.10.67 commit aa3708236ea011adee77af428f21ba30becd0ba3 bugzilla: 182619 https://gitee.com/openeuler/kernel/issues/I4EWO7 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa3708236ea011adee77af428f21ba30becd0ba3 -------------------------------- [ Upstream commit 23151b9a ] Bad header can have large length field which can cause OOB. cptr is the last bytes for read, and the eeprom is parsed from high to low address. The OOB, triggered by the condition length > cptr could cause memory error with a read on negative index. There are some sanity check around length, but it is not compared with cptr (the remaining bytes). Here, the corrupted/bad EEPROM can cause panic. I was able to reproduce the crash, but I cannot find the log and the reproducer now. After I applied the patch, the bug is no longer reproducible. Signed-off-by: N Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.homeSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
a2b77286 · Zekun Shen · Zheng Zengkai · 7ed9866a · a2b77286
显示空白变更内容
内联并排

Showing with 2 addition and 1 deletion

drivers/net/wireless/ath/ath9k/ar9003_eeprom.c drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +2 -1

未找到文件。
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
 			"Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
 			cptr, code, reference, length, major, minor);
 		if ((!AR_SREV_9485(ah) && length >= 1024) ||
-		    (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
+		    (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) ||
+		    (length > cptr)) {
 			ath_dbg(common, EEPROM, "Skipping bad header\n");
 			cptr -= COMP_HDR_LEN;
 			continue;