Zekun Shen <bruceshenzk@xxxxxxxxx> wrote: > Bad header can have large length field which can cause OOB. > cptr is the last bytes for read, and the eeprom is parsed > from high to low address. The OOB, triggered by the condition > length > cptr could cause memory error with a read on > negative index. > > There are some sanity check around length, but it is not > compared with cptr (the remaining bytes). Here, the > corrupted/bad EEPROM can cause panic. > > I was able to reproduce the crash, but I cannot find the > log and the reproducer now. After I applied the patch, the > bug is no longer reproducible. > > Signed-off-by: Zekun Shen <bruceshenzk@xxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. 23151b9ae79e ath9k: fix OOB read ar9300_eeprom_restore_internal -- https://patchwork.kernel.org/project/linux-wireless/patch/YM3xKsQJ0Hw2hjrc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
