From patchwork Fri Jun 21 21:18:04 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1950984
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4W5VZh4mjjz20Wb
	for <incoming@patchwork.ozlabs.org>; Sat, 22 Jun 2024 07:18:20 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sKleB-0005qJ-NJ; Fri, 21 Jun 2024 21:18:15 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1sKleA-0005pE-PR
 for kernel-team@lists.ubuntu.com; Fri, 21 Jun 2024 21:18:14 +0000
Received: from mail-io1-f71.google.com (mail-io1-f71.google.com
 [209.85.166.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 614F73FE21
 for <kernel-team@lists.ubuntu.com>; Fri, 21 Jun 2024 21:18:11 +0000 (UTC)
Received: by mail-io1-f71.google.com with SMTP id
 ca18e2360f4ac-7ec00e71ab9so275773139f.0
 for <kernel-team@lists.ubuntu.com>; Fri, 21 Jun 2024 14:18:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1719004687; x=1719609487;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=/HN+QdiucasuIQ8lzOcfPaBwOLcdEQPVJN5dm/E10zA=;
 b=SvDrbQlyO93PmB497dWGsJl+NtBdOty4TdsAsEtDje6n/Att1PoHKXEzCy8N44JnIy
 A9994C7OB3jrrqjqEuW7GBp4QPcSh7Y48APM0s9daiKGBwyHUIFu+9lNlFlkWR7vP9az
 xe2qPw2vUNS1ldxfqWqx7Cdwtxg4RXWAm6wdYmbko2O6ZoFW3qCUT0Uz2mjuZo/IBtyH
 QAVdOU2OvYjJbzSB9aa3Hxjsua8CihkB1qVyV0zXFDGlfDYV8v9yY4eVvLlHToundipZ
 /MQmdeM2OL1vD2U89hNlNw3dgtyPUIGLEfeJKmSB5ysn+X9xUKty0Xo+hfTZUO3Dxvxt
 wKPA==
X-Gm-Message-State: AOJu0Yx1q0JB0UCJ6xt9Qg4ry6ZrRJwdP3HLo8g38cqEh9ZkIF8i1KOd
 bQBMS4i0aZYid7S4W27H5nQJavaFFy5XuPA3valrJA58L4KLdFJgyPAyAtBkQLQxgaNg3wZjkvK
 jWehdlaygUw46O9TDwlIZ19NIxlbVOOHe0+x1Q+pf8f+10bX75iipVL8vqtqWdMqAQ1iaZ3SnaL
 k8urpBPWiBsA==
X-Received: by 2002:a05:6602:3429:b0:7eb:708a:3264 with SMTP id
 ca18e2360f4ac-7f13ee0f2cfmr1012049439f.10.1719004686829;
 Fri, 21 Jun 2024 14:18:06 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG+24UE/7VVtjWdD69dte2QhgFNDXzFb9EBno7Aee9QMJS0XtfEG1+fZaIuQF9BoHwGR9BrHg==
X-Received: by 2002:a05:6602:3429:b0:7eb:708a:3264 with SMTP id
 ca18e2360f4ac-7f13ee0f2cfmr1012047739f.10.1719004686470;
 Fri, 21 Jun 2024 14:18:06 -0700 (PDT)
Received: from smtp.gmail.com
 (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36])
 by smtp.gmail.com with ESMTPSA id
 ca18e2360f4ac-7f391fc9bffsm51524639f.1.2024.06.21.14.18.06
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 21 Jun 2024 14:18:06 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][N/J][PATCH 1/1] tty: n_gsm: fix possible out-of-bounds in
 gsm0_receive()
Date: Fri, 21 Jun 2024 16:18:04 -0500
Message-Id: <20240621211805.25608-2-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240621211805.25608-1-bethany.jamison@canonical.com>
References: <20240621211805.25608-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Daniel Starke <daniel.starke@siemens.com>

commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream.

Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
  Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
  Reason: Neither gsm->state nor gsm->len have been reset after
  reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Reported-by: j51569436@gmail.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708
Tested-by: j51569436@gmail.com
Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f126ce7305fe88f49cdabc6db4168b9318898ea3 linux-6.8.y)
CVE-2024-36016
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 drivers/tty/n_gsm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 4036566febcba..72b82bf1c2806 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -2913,7 +2913,10 @@ static void gsm0_receive(struct gsm_mux *gsm, u8 c)
 		break;
 	case GSM_DATA:		/* Data */
 		gsm->buf[gsm->count++] = c;
-		if (gsm->count == gsm->len) {
+		if (gsm->count >= MAX_MRU) {
+			gsm->bad_size++;
+			gsm->state = GSM_SEARCH;
+		} else if (gsm->count >= gsm->len) {
 			/* Calculate final FCS for UI frames over all data */
 			if ((gsm->control & ~PF) != UIH) {
 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
@@ -3026,7 +3029,7 @@ static void gsm1_receive(struct gsm_mux *gsm, u8 c)
 		gsm->state = GSM_DATA;
 		break;
 	case GSM_DATA:		/* Data */
-		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
+		if (gsm->count > gsm->mru || gsm->count > MAX_MRU) {	/* Allow one for the FCS */
 			gsm->state = GSM_OVERRUN;
 			gsm->bad_size++;
 		} else