Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_wmi_ctrl_rx

From: Fedor Pchelkin
Date: Wed Mar 15 2023 - 15:33:50 EST

Next message: Siddharth Kawar: "Re: [PATCH] SUNRPC: fix shutdown of NFS TCP client socket"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Kselftest fixes update for Linux 6.3-rc3"
In reply to: syzbot: "Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_wmi_ctrl_rx"
Next in thread: syzbot: "Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_wmi_ctrl_rx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test: https://github.com/google/kmsan.git master

--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -1147,6 +1147,12 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb,
if (!data_race(priv->rx.initialized))
goto err;

+ /* Validate the obtained SKB so that it is handled without error
+ * inside rx_tasklet handler.
+ */
+ if (unlikely(skb->len < sizeof(struct ieee80211_hdr)))
+ goto err;
+
spin_lock_irqsave(&priv->rx.rxbuflock, flags);
list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) {
if (!tmp_buf->in_process) {
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index fe62ff668f75..9d0d9d0e1aa8 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -475,6 +475,10 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
skb_pull(skb, sizeof(struct htc_frame_hdr));

endpoint = &htc_handle->endpoint[epid];
+
+ /* The endpoint RX handlers should implement their own
+ * additional SKB sanity checking
+ */
if (endpoint->ep_callbacks.rx)
endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
skb, epid);
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 19345b8f7bfd..2e7c361b62f5 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -204,6 +204,10 @@ static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb)
{
skb_pull(skb, sizeof(struct wmi_cmd_hdr));

+ /* Once again validate the SKB. */
+ if (unlikely(skb->len < wmi->cmd_rsp_len))
+ return;
+
if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0)
memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len);

@@ -221,6 +225,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
if (unlikely(wmi->stopped))
goto free_skb;

+ /* Validate the obtained SKB. */
+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
+ goto free_skb;
+
hdr = (struct wmi_cmd_hdr *) skb->data;
cmd_id = be16_to_cpu(hdr->command_id);

--

Next message: Siddharth Kawar: "Re: [PATCH] SUNRPC: fix shutdown of NFS TCP client socket"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Kselftest fixes update for Linux 6.3-rc3"
In reply to: syzbot: "Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_wmi_ctrl_rx"
Next in thread: syzbot: "Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_wmi_ctrl_rx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]