Commit bc776fd1 authored Mar 12, 2025 by Dan Carpenter Committed by Zeng Heng Mar 12, 2025

ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix

stable inclusion
from stable-v4.19.247
commit 4bdcf32c965c27f55ccc4ee71c1927131115b0bb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP32T
CVE: CVE-2022-49503

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4bdcf32c965c27f55ccc4ee71c1927131115b0bb



--------------------------------

[ Upstream commit 2dc50930 ]

The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to
ensure that it is within the bitmap.

drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()
error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'

Fixes: 4ed1a8d4 ("ath9k_htc: use ath9k_cmn_rx_accept")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220409061225.GA5447@kili


Signed-off-by: Sasha Levin <sashal@kernel.org>
Conflicts:
	drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
[Fix context conflicts.]
Signed-off-by: Zeng Heng <zengheng4@huawei.com>

parent 72481518

drivers/net/wireless/ath/ath9k/htc_drv_txrx.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1007,6 +1007,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
		goto rx_next;
		}

		if (rxstatus->rs_keyix >= ATH_KEYMAX &&
		rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) {
		ath_dbg(common, ANY,
		"Invalid keyix, dropping (keyix: %d)\n",
		rxstatus->rs_keyix);
		goto rx_next;
		}

		/* Get the RX status information */

		memset(rx_status, 0, sizeof(struct ieee80211_rx_status));