From patchwork Wed Feb 1 00:15:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1735163 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=n0KMsFJs; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4P62W661Prz23hd for ; Wed, 1 Feb 2023 11:15:30 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pN0mZ-0003fZ-Uc; Wed, 01 Feb 2023 00:15:23 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pN0mX-0003eI-9N for kernel-team@lists.ubuntu.com; Wed, 01 Feb 2023 00:15:21 +0000 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9567F3FDAE for ; Wed, 1 Feb 2023 00:15:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1675210520; bh=xz9BdWSkeL78ZZTd2suZ0N235uVnP+lEtOxEHgmux1o=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=n0KMsFJsJH5yiSoYlAMy/BnfCr0j5B8vv5phCW4DqBa5pZofMrOR5TJEk4maadQAn S+KLiN5nQ+wP+dRpVlXEhZ3TAzonVy01kzTz1r3uBLkwFrNGF5ILA+TPnydRgYhfr5 xqp3Fl2h0q9OIhQT6ysUswr5hIp1aO1BMnPd3tp5YXzOUcJt29q5mBpY+GP/SnCSvG VuvsxeQT0B2LbIT4lRkDnz+DJBi5YQ+rIWzA7ZeGnBAw7u//l/Qpxz9SaO9HCne1Ia SNJTA3ekAPL3FzPk793XlI9HXtas9ymaHk9MO62CwRxtdpH9AtuMaBgRECyFJArQg3 Uv+S8HxNY9M3g== Received: by mail-qk1-f198.google.com with SMTP id h13-20020a05620a244d00b006fb713618b8so10201862qkn.0 for ; Tue, 31 Jan 2023 16:15:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xz9BdWSkeL78ZZTd2suZ0N235uVnP+lEtOxEHgmux1o=; b=iuYw0lvAoBcrYZe+CiS6SMYGOJ3xiXHEVDGMNrvCNKcEq08vMXXChOAv6SFqL645W/ 9wGThj6k7WkwuQ+hE+l6jMhJrex7O0Lg28XARNdyRgJDur2m5Im1UKPLMa1gM0XyO7+t BdKbf5V66zgEcWdcHX9XmbG/Bouolc2E/RJpadBp2wmU0MaibjoCpYxGDZmKepHqlC2t UI70ncSzvYIg5nbmI2E75PookC9PJCP41TchcAdf9b/Ltnx4o91iwTdtld9sfX6/ps2X z22fnPc/5muWlYpaL7e5LPsJrctBqrNzM/z9amhNbJ5mBgV+eIsatYYAPU/kOcy5Dgp2 a5eg== X-Gm-Message-State: AO0yUKVXUNLifo7bMFQLH5tOPr4RN7//hkVpv39aryxa3wUdPq+zkNIx dqqvQvbRMNNelh25ruoAuB6uYVk7tg8SoGSwRL9tAJZX0pJSeviqabPO41jNRfSeCApZDJ16UCt qJ0epVPGZzAvutrryDnomMAH2q55yNsgrcHUdgehtNg== X-Received: by 2002:a05:6214:180e:b0:53b:3555:ccce with SMTP id o14-20020a056214180e00b0053b3555cccemr1296649qvw.31.1675210519088; Tue, 31 Jan 2023 16:15:19 -0800 (PST) X-Google-Smtp-Source: AK7set+EYPqI4oEr4T6sKjNI0Wqxsxqc0Vr3ZMdZA8QfWAC5GhW3Wd0eVANsB6JGUBCg85DiL/8i2A== X-Received: by 2002:a05:6214:180e:b0:53b:3555:ccce with SMTP id o14-20020a056214180e00b0053b3555cccemr1296623qvw.31.1675210518786; Tue, 31 Jan 2023 16:15:18 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:73ef:4d18:4a90:f5f7]) by smtp.gmail.com with ESMTPSA id q1-20020a05620a024100b0071d7e3fc0efsm6104111qkn.9.2023.01.31.16.15.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 16:15:18 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid Date: Tue, 31 Jan 2023 19:15:14 -0500 Message-Id: <20230201001514.30995-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230201001514.30995-1-yuxuan.luo@canonical.com> References: <20230201001514.30995-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Szymon Heidrich Since resplen and respoffs are signed integers sufficiently large values of unsigned int len and offset members of RNDIS response will result in negative values of prior variables. This may be utilized to bypass implemented security checks to either extract memory contents by manipulating offset or overflow the data buffer via memcpy by manipulating both offset and len. Additionally assure that sum of resplen and respoffs does not overflow so buffer boundaries are kept. Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") Signed-off-by: Szymon Heidrich Reviewed-by: Alexander Duyck Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com (cherry picked from commit b870e73a56c4cccbec33224233eaf295839f228c) CVE-2023-23559 Signed-off-by: Yuxuan Luo --- drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index d4947e3a909ec..0376a2a745722 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) struct rndis_query *get; struct rndis_query_c *get_c; } u; - int ret, buflen; - int resplen, respoffs, copylen; + int ret; + size_t buflen, resplen, respoffs, copylen; buflen = *len + sizeof(*u.get); if (buflen < CONTROL_BUFFER_SIZE) @@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) if (respoffs > buflen) { /* Device returned data offset outside buffer, error. */ - netdev_dbg(dev->net, "%s(%s): received invalid " - "data offset: %d > %d\n", __func__, - oid_to_string(oid), respoffs, buflen); + netdev_dbg(dev->net, + "%s(%s): received invalid data offset: %zu > %zu\n", + __func__, oid_to_string(oid), respoffs, buflen); ret = -EINVAL; goto exit_unlock; } - if ((resplen + respoffs) > buflen) { - /* Device would have returned more data if buffer would - * have been big enough. Copy just the bits that we got. - */ - copylen = buflen - respoffs; - } else { - copylen = resplen; - } + copylen = min(resplen, buflen - respoffs); if (copylen > *len) copylen = *len;