Message ID | 20230315202112.163012-1-pchelkin@ispras.ru |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp108614wrt; Wed, 15 Mar 2023 13:35:17 -0700 (PDT) X-Google-Smtp-Source: AK7set8A0sGkoZEXFa8aC5Nd4OfKjRv96BtNvBuvpU2Xr6BSkP7uK1UZhpNsbQCpv9Pt3rfXqOwK X-Received: by 2002:a6b:7305:0:b0:752:e9e5:49af with SMTP id e5-20020a6b7305000000b00752e9e549afmr2609825ioh.2.1678912517116; Wed, 15 Mar 2023 13:35:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678912517; cv=none; d=google.com; s=arc-20160816; b=foAGgVmBh7tBsqUOV3bUtZIvqGKzMiXnuV2YikgHep5ItpczMsFC4MjzPX/kur2k5k ZZZ4YdpnvqTH/VAW9qnSBJfURus27+MAssVn6WCkITxbxiN9tIjNfvbRNH+mpX3FIqdx pq4yLCZKa2MPZLaTkrgO1BZW1MVp8D5eVO8mv0BmxYOicXhXA5xL/CCuWXUHt4jL6svU w2S4BTB9SGWYL40AGwsNuMPLw+e8aJaPReUT3BDKsfZlpWQZDaWkAfgHG1hY6swFyAwt fX2q0USISHO6kh1c2CPyaFd9X6gp8+M5M95C4ACTGIYm5ZU2sHifvXYmsxtwoLWGJ9G3 fvgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=wGDoI1NTP9M1pEBv53/ObQ/haH6qkFw0UZeHgeusapg=; b=mqMkXjRIpioixLV7rVWzLMpycIbsw5HPhH/gAyG2NoyrTIpP6x4vNX8SM/d/1phoXn 28tOivFgFae8TjoumRGi2UAI3pa6cuVH215/S5BhuF/MjXh5hqg097RJFmYBtcRWZu18 3o+AoPxGdk2Zhp0QF5EFJLWzq8WaDNcs6gAwoPneD3bkYCNOZNuxOK162rneZyqzY3a1 yjqF4oEbFNhhfv5Iapj7M+599pZk91sOZU8Qg7+RF7/i1Y15GrwEFhIgvdXcuxtXKOe+ crelYUUgXiGKq+2wnGG6O28V80mZpt0t/mOT5zS0e1CQNBwA0qVSmiIYEC1MkwuVxZf8 zUWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=AyKkW9nv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i19-20020a6bee13000000b0073df14531e5si5574533ioh.80.2023.03.15.13.35.03; Wed, 15 Mar 2023 13:35:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=AyKkW9nv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232143AbjCOUWM (ORCPT <rfc822;ruipengqi7@gmail.com> + 99 others); Wed, 15 Mar 2023 16:22:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230333AbjCOUWL (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 15 Mar 2023 16:22:11 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C5E299244; Wed, 15 Mar 2023 13:22:10 -0700 (PDT) Received: from fpc.intra.ispras.ru (unknown [10.10.165.16]) by mail.ispras.ru (Postfix) with ESMTPSA id 8835944C100E; Wed, 15 Mar 2023 20:22:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 8835944C100E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1678911728; bh=wGDoI1NTP9M1pEBv53/ObQ/haH6qkFw0UZeHgeusapg=; h=From:To:Cc:Subject:Date:From; b=AyKkW9nvByAUPEzKNQn6gJAeWdU4/H8HtfalWLHUlv+aV5EVvdhNIz/ygrXHWNa+l 7bjFIFPa3NS28wG5ogvBsFwyppnhIqamvcvRO/hfBBtrv815f8zygq06F5b30zj+Bl 4hRiRTINzMuBrqu6PfnrcjqZDQrV0b+gmBfGoB3s= From: Fedor Pchelkin <pchelkin@ispras.ru> To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk> Cc: Fedor Pchelkin <pchelkin@ispras.ru>, Kalle Valo <kvalo@kernel.org>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Senthil Balasubramanian <senthilkumar@atheros.com>, "John W. Linville" <linville@tuxdriver.com>, Vasanthakumar Thiagarajan <vasanth@atheros.com>, Sujith <Sujith.Manoharan@atheros.com>, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, lvc-project@linuxtesting.org Subject: [PATCH 0/3] wifi: ath9k: deal with uninit memory Date: Wed, 15 Mar 2023 23:21:09 +0300 Message-Id: <20230315202112.163012-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760467371541029663?= X-GMAIL-MSGID: =?utf-8?q?1760467371541029663?= |
Series | wifi: ath9k: deal with uninit memory | |
Message
Fedor Pchelkin
March 15, 2023, 8:21 p.m. UTC
Syzkaller reports two cases ([1] and [2]) of uninitialized memory referencing in ath9k wmi functions. The following patch series is intended to fix them and related issues. [1] https://syzkaller.appspot.com/bug?id=51d401326d8ee41859d68997acdd6f3b1b39f186 [2] https://syzkaller.appspot.com/bug?id=fc54e8d79f5d5082c7867259d71b4e6618b69d25
Comments
On Wed, Mar 15, 2023 at 11:21:09PM +0300, Fedor Pchelkin wrote: > Syzkaller reports two cases ([1] and [2]) of uninitialized memory referencing in ath9k > wmi functions. The following patch series is intended to fix them and related issues. > > [1] https://syzkaller.appspot.com/bug?id=51d401326d8ee41859d68997acdd6f3b1b39f186 > [2] https://syzkaller.appspot.com/bug?id=fc54e8d79f5d5082c7867259d71b4e6618b69d25 During the patch development I observed that the return value of REG_READ (ath9k_regread), REG_READ_MULTI (ath9k_multi_regread) and similar macros is not checked in most places inside ath9k where they are called. That may also potentially lead to incorrect behaviour. I wonder if it actually poses a problem as the current implementation has been for a long time and perhaps somebody has already addressed this. In more details: -- ath9k_regread returns -1 on error, and probably this is a predefined error state and doesn't need additional check. But, overall, it seems strange to me that the return value is not checked in places where it is used later (for example, in ath9k_reg_rmw or ath9k_hw_ani_read_counters). -- ath9k_multi_regread fills 'val' buffer with undefined values on error case, that should definitely be fixed with initializing the local buffer to zero, I think. Could you please say your opinion on this issue?