Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> wrote:
> Fix a stack-out-of-bounds write that occurs in a WMI response callback
> function that is called after a timeout occurs in ath9k_wmi_cmd().
> The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
> could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
> 0 when a timeout occurred.
>
> Found by a modified version of syzkaller.
>
> BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
> Write of size 4
> Call Trace:
> memcpy
> ath9k_wmi_ctrl_rx
> ath9k_htc_rx_msg
> ath9k_hif_usb_reg_in_cb
> __usb_hcd_giveback_urb
> usb_hcd_giveback_urb
> dummy_timer
> call_timer_fn
> run_timer_softirq
> __do_softirq
> irq_exit_rcu
> sysvec_apic_timer_interrupt
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
> Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
> Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
Patch applied to ath-next branch of ath.git, thanks.
8a2f35b98306 wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
--
https://patchwork.kernel.org/project/linux-wireless/patch/20230104124130.10996-1-linuxlovemin@xxxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
