| Message ID | 20250402112217.58533-1-toke@toke.dk |
|---|---|
| State | New |
| Headers | show |
| Series | [wireless-next] wifi: ath9k_htc: Abort software beacon handling if disabled | expand |
On 4/2/2025 4:22 AM, Toke Høiland-Jørgensen wrote: > A malicious USB device can send a WMI_SWBA_EVENTID event from an > ath9k_htc-managed device before beaconing has been enabled. This causes > a device-by-zero error in the driver, leading to either a crash or an > out of bounds read. > > Prevent this by aborting the handling in ath9k_htc_swba() if beacons are > not enabled. > > Reported-by: Robert Morris <rtm@csail.mit.edu> > Link: https://lore.kernel.org/r/88967.1743099372@localhost Changed this to Closes: to make checkpatch happy > Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") > Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> > --- > drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c > index 547634f82183..81fa7cbad892 100644 > --- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c > +++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c > @@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, > struct ath_common *common = ath9k_hw_common(priv->ah); > int slot; > > + if (!priv->cur_beacon_conf.enable_beacon) > + return; > + > if (swba->beacon_pending != 0) { > priv->beacon.bmisscnt++; > if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
On Wed, 02 Apr 2025 13:22:16 +0200, Toke Høiland-Jørgensen wrote: > A malicious USB device can send a WMI_SWBA_EVENTID event from an > ath9k_htc-managed device before beaconing has been enabled. This causes > a device-by-zero error in the driver, leading to either a crash or an > out of bounds read. > > Prevent this by aborting the handling in ath9k_htc_swba() if beacons are > not enabled. > > [...] Applied, thanks! [1/1] wifi: ath9k_htc: Abort software beacon handling if disabled commit: ac4e317a95a1092b5da5b9918b7118759342641c Best regards,
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c index 547634f82183..81fa7cbad892 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c @@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, struct ath_common *common = ath9k_hw_common(priv->ah); int slot; + if (!priv->cur_beacon_conf.enable_beacon) + return; + if (swba->beacon_pending != 0) { priv->beacon.bmisscnt++; if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. Reported-by: Robert Morris <rtm@csail.mit.edu> Link: https://lore.kernel.org/r/88967.1743099372@localhost Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ 1 file changed, 3 insertions(+)