Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1997531iog; Sun, 26 Jun 2022 04:10:06 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vPUJmhVCtwMiu+p7tyR92yMjM/QG0D4u5EjXVNvjWF3oErsPZAh8b7tCf+bU43NpJZ6Vv9 X-Received: by 2002:a17:907:7745:b0:6f3:674a:339 with SMTP id kx5-20020a170907774500b006f3674a0339mr7795603ejc.207.1656241806572; Sun, 26 Jun 2022 04:10:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656241806; cv=none; d=google.com; s=arc-20160816; b=teVV+iFe8549lHvzYFql92M2LDlLBtfcK0pq+ytYqCzJZQENTsMqzH9LxGxgaddpsg n88b/rEySocLdXuTlMpTQzZpuakPUsalmfO1vuuhKEou3HPCSFKor9PJv6HBDhn9J6g8 5d4cqd3zA2M3vPRL18Wu/pTPU3OoITxz6rLyudzcWyyGdVje5r1b4tR9qbwN0iB+v97q Ro0lA8QAGjnhQtCWRF91HzaAn7BO7oSLZq7xZpSVYiZ2lapfhxzzQWoN10c33joa1at1 39FN/5fQvQh+BDiMNbT2HvfUayzg30a6mf1UJTtWsBj1R4jqDoZFkzl/3oeaNHibVXW3 oYNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=Vg0cRpEtb7ifVHWlwN4JySsa2TxMFUY1alHj7UpNopU=; b=0BSpamaRraOovylcfIiwq29qAuZw3u9abQy3C74DDY4rg3FzO2WjgUoIxnANCaArQi fJJ/ZnBX0opnghmoTq8ay7MkKdfB5OlaEaEaipBoZB4lQ9h0N/Qr3wqofql0kmXW5P7I 8YRzoFjzh8zHm8+sEJUywSUR6Hj+bU6p7w2EZN1PO7xrSPC9nEsfFkNvPBsIjgrWUsVx tE2PdFJVcSJD9D02TKYinNKQYxi2qKF7G62MNySYx65EALd627nzN4DjBMbeuygaS+/b ARH4TsiJfzwrYQYtNyiLHrnUV1h3XnByjMcRlqJgPbi9mLvfICDqURDI5A6qUU+5NuHh sgpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=eA4fAhRY; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m22-20020a056402431600b0042e0b28922asi8324706edc.7.2022.06.26.04.09.44; Sun, 26 Jun 2022 04:10:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=eA4fAhRY; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234298AbiFZK7h (ORCPT + 65 others); Sun, 26 Jun 2022 06:59:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229513AbiFZK7g (ORCPT ); Sun, 26 Jun 2022 06:59:36 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B58A538B6; Sun, 26 Jun 2022 03:59:35 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id bo5so6510359pfb.4; Sun, 26 Jun 2022 03:59:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=Vg0cRpEtb7ifVHWlwN4JySsa2TxMFUY1alHj7UpNopU=; b=eA4fAhRYOxinFBIKOjsdC5/JMtdwRbDdcLmMQfLEP8BUXn+jdxzL/SFPRhPbP7sl5s B2tMBHS4ffugy61meKrUepvXyx5eGMIO9aQswV591V9aDB9uTZevnRSGuQ+WW+O3d850 9ga84NWlQn4qmwvua2hq28dpR3CqMZJ8C6yTLj6USWIbE5RSYJ25wj8JwQRcozQ+Axeh yt2/7Q7CR+KaeVvtf4KOsNS9vjdPom2WbO65C3y7RRt21g8xTDi2K/bh2lDc5f1tNQXa /1kO1n5V0s+bJd64f/vfjrF2kalUnCKp/BTo/dlj0bTpuogGXLyWMbvyV61OokjiQTTp XQ9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=Vg0cRpEtb7ifVHWlwN4JySsa2TxMFUY1alHj7UpNopU=; b=txWyG6dqIjMLD+pOU6xeknTJz/sBgGgvU+zaTIisUaWzRM82UK1NFOAmqUOnsC2MWA ILJwoeE4eorXyL3Qwq6tY28iZSjaw2d2JVp+D0REsj9BhEJvv8EPWteGKmIGEwrVuSrl ZkqCv+HLF0bEMxlKOisO9qXSnlFG75d0axp4kmiVTCTXjc9qgAuSCfJjGOWacbowd5fa rFrPFexwfI3+c/2E4O4MaOtkZb2WkuzPmGcZq8olDdiRJ/Z1bCgjukeyrddY7LOPDuJ9 3Z4gwnjblW2UbBMXUfoqMjuvYimnmAswMedQlw8YGpPMLytWvB8iqtSyuSYr+4/NJ48O p/Kw== X-Gm-Message-State: AJIora8PEmp56eQmS2tom4equBYsRcLaIpnJNC+SYEaSpyQM5ybCf6s3 LS1cST34MrGEgzYQCMp7Nq0= X-Received: by 2002:a63:1a0f:0:b0:3fe:4da7:1a38 with SMTP id a15-20020a631a0f000000b003fe4da71a38mr7561453pga.332.1656241175238; Sun, 26 Jun 2022 03:59:35 -0700 (PDT) Received: from ubuntu ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id a27-20020aa794bb000000b005252a06750esm5019941pfl.182.2022.06.26.03.59.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Jun 2022 03:59:34 -0700 (PDT) Date: Sun, 26 Jun 2022 03:59:31 -0700 From: Hyunwoo Kim To: gregory.greenman@intel.com, kvalo@kernel.org Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH] iwlwifi: pcie: Fixed integer overflow in iwl_write_to_user_buf Message-ID: <20220626105931.GA57801@ubuntu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) *size = buf_size_left; If the user passes a SIZE_MAX value to the "ssize_t count" parameter, the ssize_t count parameter is assigned to "int buf_size_left". Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a negative number, so "*size" is assigned "buf_size_left" and goes into the third argument of the copy_to_user function, causing a heap overflow. This is not a security vulnerability because iwl_dbgfs_monitor_data_read() is a debugfs operation with 0400 privileges. Signed-off-by: Hyunwoo Kim --- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c index bd50f52a1aad..fded5d305b11 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c @@ -2854,7 +2854,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { - int buf_size_left = count - *bytes_copied; + ssize_t buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) -- 2.25.1 Dear all, I submitted this patch 11 days ago. Can I get feedback on this patch? Regards, Hyunwoo Kim.