From patchwork Thu Oct 24 22:06:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 2001973 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XZKks0MP5z1xw0 for ; Fri, 25 Oct 2024 09:06:43 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t45yR-00084d-Hw; Thu, 24 Oct 2024 22:06:31 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t45yP-00084G-L1 for kernel-team@lists.ubuntu.com; Thu, 24 Oct 2024 22:06:29 +0000 Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7E5F83F1C9 for ; Thu, 24 Oct 2024 22:06:29 +0000 (UTC) Received: by mail-il1-f199.google.com with SMTP id e9e14a558f8ab-3a4dad0a63bso2831135ab.0 for ; Thu, 24 Oct 2024 15:06:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729807588; x=1730412388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XIs2mcOv7T94H5oIrdAaL+RsvtsUCcoG1j7z9QjcbVc=; b=g7OnWMdGGyE4WloCIR6tvLnphvGd0id3DeeKxs3aMM2jVHj15SFl21a93UkJLd1bof hLKWr1fLShEB3Pkb65TQ+MkkziQ3jPY2XMxuTQ11+r9I63lK31U/Z6zyFHWy4VR5iHGf Fpb0xIOpg+6Kn1kf5bAPe4Ey+yVZDa7yuxve6pt4oHk7booeoyQJ08EK9IwnKRzbH7IG yUJMLrLLhG645R16rJwcnlKv60jNG6fL57b2BtX4hTaCQMt2grsz7hHT8RRGQPNnJJeH xNTdL96kTgG1hYVmPkcZ69ykPXZfmJ6njNWS4SFM4uDPIXE4u8mKEss0pLt92Z4/R30K xNkw== X-Gm-Message-State: AOJu0YxOlAV2eVtzGh4uwnkXfNWWJZz7q63aOJVBJHxECFxCCpnKuane OCIPb/DBvbgh46Gl8SI4ur3OunYnzdTZiHHVnzLQ4V+tV65stZWQzJ8fCYuoFvhrkN8YTDA5Gac fx6hU83CRsad+xc4qS18Z5hqZeeykqSSfSjZ/m655lIGCuL+YXxNGA3GIdH8kdQUx0zb2/dD2Af s3eY/sCvinCQ== X-Received: by 2002:a05:6e02:1a67:b0:3a0:9842:1002 with SMTP id e9e14a558f8ab-3a4d5945af1mr16790945ab.1.1729807587838; Thu, 24 Oct 2024 15:06:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFBEs7OD6DppG760SFlKh0sPSPVrGIB/bJKpiuS5ZDLH2Z0LOSZqcByD9sYHu+GWh+PHVN7GA== X-Received: by 2002:a05:6e02:1a67:b0:3a0:9842:1002 with SMTP id e9e14a558f8ab-3a4d5945af1mr16790905ab.1.1729807587399; Thu, 24 Oct 2024 15:06:27 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3a400b6339csm32543575ab.69.2024.10.24.15.06.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 15:06:27 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] CDC-NCM: avoid overflow in sanity checking Date: Thu, 24 Oct 2024 17:06:25 -0500 Message-Id: <20241024220625.31584-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241024220625.31584-1-bethany.jamison@canonical.com> References: <20241024220625.31584-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Oliver Neukum commit 8d2b1a1ec9f559d30b724877da4ce592edc41fdc upstream. A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned. Signed-off-by: Oliver Neukum Reviewed-by: Greg Kroah-Hartman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 69560efa001397ebb8dc1c3e6a3ce00302bb9f7f linux-5.10.y) CVE-2022-48938 Signed-off-by: Bethany Jamison --- drivers/net/usb/cdc_ncm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 4824385fe2c79..c86340fede082 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -1707,10 +1707,10 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) { struct sk_buff *skb; struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0]; - int len; + unsigned int len; int nframes; int x; - int offset; + unsigned int offset; union { struct usb_cdc_ncm_ndp16 *ndp16; struct usb_cdc_ncm_ndp32 *ndp32; @@ -1782,8 +1782,8 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) break; } - /* sanity checking */ - if (((offset + len) > skb_in->len) || + /* sanity checking - watch out for integer wrap*/ + if ((offset > skb_in->len) || (len > skb_in->len - offset) || (len > ctx->rx_max) || (len < ETH_HLEN)) { netif_dbg(dev, rx_err, dev->net, "invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n",