From patchwork Mon Mar 27 20:46:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1761974 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=JlKGThiQ; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PllGm37RLz1yYp for ; Tue, 28 Mar 2023 07:46:40 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pgtje-00072m-7P; Mon, 27 Mar 2023 20:46:34 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pgtjd-00071z-Fa for kernel-team@lists.ubuntu.com; Mon, 27 Mar 2023 20:46:33 +0000 Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3F1F73F191 for ; Mon, 27 Mar 2023 20:46:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1679949992; bh=xz9BdWSkeL78ZZTd2suZ0N235uVnP+lEtOxEHgmux1o=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JlKGThiQupq12qC9f4s9rhns4Xh2T/ogX6BbBd9VtX8937KUSJyww+jjxZ3BSmcDV ze7yNNQjBWG3uCd/pNJ0AoSyQ9Svm4iH0Hqm2qSnhiMAyjmT82Dur+EAvUft0Y2XoL AjwQIf4cKM4JYCzhOMCtkL6hlwwkOIXri9YjXuSrY8kWJgBqNNQjE1sctAA7ok2q87 28pBjB0lagWMRjpHcpDdimbTEI8z5nerXWwWg66kvF30yP+LTj+s4T6SjF2LWbtqqd vt23Pui8KJ548ftdqB+VV8nFQRfj4r7C4y94CY7TxP4HpsG1tbilaqgX3IG2PK8qRX dUloJEVeGxfrw== Received: by mail-qv1-f71.google.com with SMTP id q1-20020ad44341000000b005a676b725a2so4118772qvs.18 for ; Mon, 27 Mar 2023 13:46:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679949991; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xz9BdWSkeL78ZZTd2suZ0N235uVnP+lEtOxEHgmux1o=; b=lp++HwV/t4yumLmtEjm88LUevntsR/+e66FRLNiXr9lT6mbilrk9wre+SYmBYjeINc T/i+OGPOSyP7WrqzRUkRvtUlWKVBKZLvWzB5JzGqk99NeOFpaWvxWydtvAry5zt28lD9 xfJIx7FPXGc9QMdAW434kQBT7a2kqy3WL3V1exhxNjsIJ2o+C3p5n8Tr0HHu5PlSsiAy jwseAXtZfPHO4eAAMnLPYM5roEdcsBbMFjEBqaYW0hCDcDCMkTKXU6sG7TJSfdGTSIfU oo8o+mWgTYvwngXK5L37KeowFEYGMOjMhHLbwMvaklyxXDSJwSDxK7A3gbWSIPJc+UW8 ZeMA== X-Gm-Message-State: AAQBX9f+RKmzYQ1eGFBhof83To8DH1NWwp5YWkWZB4/dHx5BiSWhRHsK 2+z0Q2kfar2RdzBaxxFOp+1Xa7qMXndy6wCujfFd1q0x1ZIJw0q3/H8jdovB4/SN/BEFkjlQdvb WLEcHfpZvpyKstG4HIH1GSpuBEE9rID3N2xtDdxX/opppTgG7Uw== X-Received: by 2002:a05:6214:1304:b0:56a:cf18:599b with SMTP id pn4-20020a056214130400b0056acf18599bmr26615426qvb.14.1679949990826; Mon, 27 Mar 2023 13:46:30 -0700 (PDT) X-Google-Smtp-Source: AKy350bkNEmKks1x03D0w11bzHtElprOrB7PrGheX4oSbRJpwOUNXZOouOlXyrE1FHkSO8ZWFOwfYg== X-Received: by 2002:a05:6214:1304:b0:56a:cf18:599b with SMTP id pn4-20020a056214130400b0056acf18599bmr26615351qvb.14.1679949990076; Mon, 27 Mar 2023 13:46:30 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:a100:1ed3:92dd:f347]) by smtp.gmail.com with ESMTPSA id oj16-20020a056214441000b005dd8b9345c1sm3245696qvb.89.2023.03.27.13.46.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Mar 2023 13:46:29 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-5.17/OEM-6.0][PATCH 1/1] wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid Date: Mon, 27 Mar 2023 16:46:18 -0400 Message-Id: <20230327204618.42534-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230327204618.42534-1-yuxuan.luo@canonical.com> References: <20230327204618.42534-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Szymon Heidrich Since resplen and respoffs are signed integers sufficiently large values of unsigned int len and offset members of RNDIS response will result in negative values of prior variables. This may be utilized to bypass implemented security checks to either extract memory contents by manipulating offset or overflow the data buffer via memcpy by manipulating both offset and len. Additionally assure that sum of resplen and respoffs does not overflow so buffer boundaries are kept. Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") Signed-off-by: Szymon Heidrich Reviewed-by: Alexander Duyck Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com (cherry picked from commit b870e73a56c4cccbec33224233eaf295839f228c) CVE-2023-23559 Signed-off-by: Yuxuan Luo --- drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index d4947e3a909ec..0376a2a745722 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) struct rndis_query *get; struct rndis_query_c *get_c; } u; - int ret, buflen; - int resplen, respoffs, copylen; + int ret; + size_t buflen, resplen, respoffs, copylen; buflen = *len + sizeof(*u.get); if (buflen < CONTROL_BUFFER_SIZE) @@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) if (respoffs > buflen) { /* Device returned data offset outside buffer, error. */ - netdev_dbg(dev->net, "%s(%s): received invalid " - "data offset: %d > %d\n", __func__, - oid_to_string(oid), respoffs, buflen); + netdev_dbg(dev->net, + "%s(%s): received invalid data offset: %zu > %zu\n", + __func__, oid_to_string(oid), respoffs, buflen); ret = -EINVAL; goto exit_unlock; } - if ((resplen + respoffs) > buflen) { - /* Device would have returned more data if buffer would - * have been big enough. Copy just the bits that we got. - */ - copylen = buflen - respoffs; - } else { - copylen = resplen; - } + copylen = min(resplen, buflen - respoffs); if (copylen > *len) copylen = *len;