Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp2187621rwi; Fri, 21 Oct 2022 00:22:01 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7r/MDTluifLAKM8qCNvhnYJeMKU0TDRIRQhEY0IQPWG4nZH/zrMMCQE8H/vayuwf/qDKck X-Received: by 2002:a17:906:730d:b0:78e:9ca5:3269 with SMTP id di13-20020a170906730d00b0078e9ca53269mr14270326ejc.366.1666336920867; Fri, 21 Oct 2022 00:22:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666336920; cv=none; d=google.com; s=arc-20160816; b=JFSKElBPjJ8jhPYklwnZW74HpVEL/Mfo3XH8ubNSHm7qD5TLJ//ZIvr1VqFYFO2Tcz a6Ph2ZhYkqQOcLU/B0AZj1PA6Qh829MFBWYgmwPk7D6YBZz4xSse6cEcFm4ukAK0J4dx iVi4LexvJSse8y3AgV7+j58imSIzoUDjqzGN0O6+bOA3EgU6CiQyECTNEvaRZR8mz7A2 cGe4NH0w0ARKe+Lw7njuRRAA1ZHAb7QDUY6imle7frrzFy8aub8cogJdO7XzxDPA+mUR srrJ3bYQD1475Cxj32XqvP+NACWt26BDCqZebeV/hc6BnePDUb7GaTM9NSrhOWAHznBm 54MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature; bh=//RnmDvx1blrAlrKZdovg6+VsTZ6AId04om0iJWKoeU=; b=gEg//cQUvOda2Oxfp7RL8NxO2pEuTCnx175NgFsRfmVrZ7woPZvYPkL5kxX6hWCjPO GHpttU9CFMje54t1nStXPGeXO+KCwN+0nhTp0OjuSphcHBu9u0NsuKxEWBfE8JUOGLm6 4dnNrpXTOHKKLa4bMfuIvELzl/8UJBy156xqmxuVAOOZj+83uRSDPfbeZYtbmEA+9vLy 7F9jR19XmMehrRJYdFuJ/wrIW4XAZ4cQwLwK05F0FdmtCnFgEHq7enFSFpxun5C4GRuI kWr0ULokCf5YD76HsnXSEzvEDMKsw86HGz6MT3nA61kxw8Yy86L/1rYw6WD10/9uRpQW +EZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="rex/N3CT"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k6-20020a1709067ac600b0078dc5c888f1si15972953ejo.135.2022.10.21.00.21.43; Fri, 21 Oct 2022 00:22:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="rex/N3CT"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230184AbiJUG53 (ORCPT + 65 others); Fri, 21 Oct 2022 02:57:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229679AbiJUG51 (ORCPT ); Fri, 21 Oct 2022 02:57:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85CC9244718 for ; Thu, 20 Oct 2022 23:57:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3041CB80B3C for ; Fri, 21 Oct 2022 06:57:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C06B4C433D7; Fri, 21 Oct 2022 06:57:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666335442; bh=aMupwjsEQLJRQg5mTuqYTRYHMFsMezoP9O1/CEIb0Xw=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=rex/N3CTseUyhexAW2PxpavxsIo7jTb4YRcnlLtrLYRQLzsM8qnpFpP/qMlMVECoW u8yTyOtvxkddgUibSi8oweJMWS5cFNrfADdrtylOppYf/LjWRdGfK4ism2eesBD66F rDFudzkK7IhC9DJfMODg21+LmBjIYHLpFExVjryDLy3iCl2kFrjLj3keSPiNsEGkIt Hd5iEXxDmgymOKKfNYM/9FfeNnKS5iPESqmEEYS26KqihDvBxS4HZGSMQ+lCbrO25d aADeVaLbLfX+TXcei3xf62uGn6vHHoDHuLL8nNOTcTnLxX0zN74rCTKH+9gWnF3Bdc Un9c66fxZ6MMQ== From: Kalle Valo To: Dokyung Song Cc: Arend Van Spriel , linux-wireless@vger.kernel.org, Jisoo Jang , Minsuk Kang Subject: Re: [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker' References: <20221021061359.GA550858@laguna> Date: Fri, 21 Oct 2022 09:57:18 +0300 In-Reply-To: <20221021061359.GA550858@laguna> (Dokyung Song's message of "Fri, 21 Oct 2022 15:13:59 +0900") Message-ID: <87v8od1x69.fsf@kernel.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Dokyung Song writes: > This patch fixes an intra-object buffer overflow in brcmfmac that occurs > when the device provides a 'bsscfgidx' equal to or greater than the > buffer size. The patch adds a check that leads to a safe failure if that > is the case. > > This fixes CVE-2022-3628. > > UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > index 52 is out of range for type 'brcmf_if *[16]' > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > Call Trace: > dump_stack_lvl+0x57/0x7d > ubsan_epilogue+0x5/0x40 > __ubsan_handle_out_of_bounds+0x69/0x80 > ? memcpy+0x39/0x60 > brcmf_fweh_event_worker+0xae1/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > ================================================================================ > general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN > KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff] > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > brcmf_fweh_event_worker+0x117/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > Modules linked in: 88XXau(O) 88x2bu(O) > ---[ end trace 41d302138f3ff55a ]--- > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Kernel panic - not syncing: Fatal exception > > Reported-by: Dokyung Song > Reported-by: Jisoo Jang > Reported-by: Minsuk Kang > Reviewed-by: Arend van Spriel > Signed-off-by: Dokyung Song > --- > v1->v2: Addressed review comments > v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ > 1 file changed, 4 insertions(+) Please include the driver name in the subject. And we prefer use parenthesis with function names. So the subject should be: wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() I can fix that during commit. Should I queue this to v6.1? -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches