Toke Høiland-Jørgensen <toke@xxxxxxx> writes:
> Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> writes:
>
>> Fix a stack-out-of-bounds write that occurs in a WMI response callback
>> function that is called after a timeout occurs in ath9k_wmi_cmd().
>> The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
>> could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
>> 0 when a timeout occurred.
>>
>> Found by a modified version of syzkaller.
>>
>> BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
>> Write of size 4
>> Call Trace:
>> memcpy
>> ath9k_wmi_ctrl_rx
>> ath9k_htc_rx_msg
>> ath9k_hif_usb_reg_in_cb
>> __usb_hcd_giveback_urb
>> usb_hcd_giveback_urb
>> dummy_timer
>> call_timer_fn
>> run_timer_softirq
>> __do_softirq
>> irq_exit_rcu
>> sysvec_apic_timer_interrupt
>>
>> Signed-off-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
>
> Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
>
> Also (Kalle, I assume you can just add this):
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Yes, will add.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
