[PATCH] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback

We can't handle the case length > WLAN_DATA_MAXLEN. Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312), and we can't read more than that. Thanks-to: Hillf Danton Reported-and-tested-by: syzbot+7d42d68643a35f71a...@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang ---

Re: KASAN: use-after-free Read in hfa384x_usbin_callback

Yes, they have the same root cause. On Thu, Mar 26, 2020 at 6:45 PM Andrey Konovalov wrote: > > On Thu, Mar 26, 2020 at 3:52 AM Qiujun Huang wrote: > > > > #syz test: https://github.com/google/kasan.git e17994d1 > > Hi Qiujun, > > I've already duped this bug

Re: KASAN: use-after-free Read in hfa384x_usbin_callback

#syz test: https://github.com/google/kasan.git e17994d1 On Mon, Mar 23, 2020 at 8:39 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e17994d1 usb: core: kcov: collect coverage from usb comple.. > git tree: https://github.com/google/kasan.git usb-fuzz

Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback

#syz test: https://github.com/google/kasan.git e17994d1 forgot to trigger:( On Thu, Mar 26, 2020 at 10:22 AM Qiujun Huang wrote: > > On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton wrote: > > > > > > On Wed, 25 Mar 2020 01:58:03 -0700 > > > syzbot has tested the

Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback

On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton wrote: > > > On Wed, 25 Mar 2020 01:58:03 -0700 > > syzbot has tested the proposed patch but the reproducer still triggered > > crash: > > KASAN: use-after-free Read in hfa384x_usbin_callback > > > >

Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback

#syz test: https://github.com/google/kasan.git e17994d1 On Sat, Mar 21, 2020 at 3:28 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e17994d1 usb: core: kcov: collect coverage from usb comple.. > git tree: https://github.com/google/kasan.git usb-fuzz

[PATCH] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb

We should cancel hw->usb_work before kfree(hw). Reported-by: syzbot+6d2e7f6fa90e27be9...@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang --- drivers/staging/wlan-ng/prism2usb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/wlan-ng/prism2usb.c b/drivers/staging/w

Re: WARNING in hwahc_probe

On Sun, Mar 22, 2020 at 3:58 PM Greg KH wrote: > > On Sun, Mar 22, 2020 at 03:53:44PM +0800, Qiujun Huang wrote: > > The return value of snprintf is longer than expected if the string is > > truncated. Bytes need to be checked here. > > > > diff --git a/drivers/

Re: WARNING in hwahc_probe

The return value of snprintf is longer than expected if the string is truncated. Bytes need to be checked here. diff --git a/drivers/staging/wusbcore/host/hwa-hc.c b/drivers/staging/wusbcore/host/hwa-hc.c index 8d959e9..1475a48 100644 --- a/drivers/staging/wusbcore/host/hwa-hc.c +++ b/drivers/stag