Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <649de84e-6f9a-5c6b-9a94-a7c6462abd1f@gmail.com>
Date:   Thu, 20 Oct 2022 10:39:14 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.13.1
Subject: Re: [PATCH] brcmfmac: Fixes potential buffer overflow in
 'brcmf_fweh_event_worker'
Content-Language: en-US
To:     Dokyung Song <dokyung.song@gmail.com>,
        linux-wireless@vger.kernel.org
Cc:     Jisoo Jang <jisoo.jang@yonsei.ac.kr>,
        Minsuk Kang <linuxlovemin@yonsei.ac.kr>
References: <20221020014907.GA338234@laguna>
From:   Arend Van Spriel <aspriel@gmail.com>
In-Reply-To: <20221020014907.GA338234@laguna>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk

On 10/20/2022 3:49 AM, Dokyung Song wrote:
> This patch fixes an intra-object buffer overflow in brcmfmac that occurs
> when the device provides a 'bsscfgidx' equal to or greater than the
> buffer size. The patch adds a check that leads to a safe failure if that
> is the case.
> 
> Found by a modified version of syzkaller.
> 
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> index 52 is out of range for type 'brcmf_if *[16]'
> CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132

[...]

> Kernel panic - not syncing: Fatal exception
> 
> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>

Not sure what the rules are for using 'Reported-by' tag, but it looks a 
bit odd. I leave it to the wireless maintainer.

Reviewed-by: Arend van Spriel <aspriel@gmail.com>
> Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
> ---
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> index bc3f4e4edcdf..e035e9c5a1fa 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> @@ -255,10 +255,15 @@ static void brcmf_fweh_event_worker(struct work_struct *work)
>   			goto event_free;
>   		}
>   
> -		if (event->code == BRCMF_E_TDLS_PEER_EVENT)
> +		if (event->code == BRCMF_E_TDLS_PEER_EVENT) {
>   			ifp = drvr->iflist[0];
> -		else
> +		} else {
> +			if (emsg.bsscfgidx >= BRCMF_MAX_IFS) {
> +				bphy_err(drvr, "invalid bsscfg index: %u\n", emsg.bsscfgidx);
> +				goto event_free;
> +			}

probably better to do the validation before any other handling. So right 
after converting the event message at line 245

https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c#L245

>   			ifp = drvr->iflist[emsg.bsscfgidx];
> +		}
>   		err = brcmf_fweh_call_event_handler(drvr, ifp, event->code,
>   						    &emsg, event->data);
>   		if (err) {