Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6397463rwi; Mon, 24 Oct 2022 00:17:34 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6iE8xhRt7srTjAhru0v/uRRH5c2oLAtI7i1g+WpvP+1whOrE7q5cC/Ml+B0mN/zgjJ5kvz X-Received: by 2002:a17:903:40d2:b0:186:6f1d:608c with SMTP id t18-20020a17090340d200b001866f1d608cmr19540255pld.52.1666595854712; Mon, 24 Oct 2022 00:17:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666595854; cv=none; d=google.com; s=arc-20160816; b=cl34kzC/sKJPUh3o4HEQXnGNE5sXfjGwvNDMQmiPkGwSYG3Nxadu/l2fOqQrKUzXrC L2LiwtPQscIVUTxhTfi27D6+q07oMl1bhoaOWXkTebLXV9rmAFXC8n2sjkEG9LGQUMza M22oAXih0aaTpnWreLuxHEARc48frK/XBr3ejkVpEb9hswzmNR7VRkrjvfqtMMjXrJJQ fpxneRSQFGPJxj/TQijhhSb+S2/yvr3WZsGzak5Esjn7Qc5Q4VxO6xSKQeeCeGyxWcCJ jVMjEcr3Xpol+xaJuRk2Yqb58i5yLLlxXqEpeM1BUrkgTUm+0d9a5Squ90gRztXzxrwY GsfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=c1dsXFHKEvPw/aJ1Uon9oecdo5dPhwSf08ZsRBZOkf4=; b=ppL9HYxJhWI1TuTBmQxCnysuQZtjiZvaANOkUo7fjl18W7tplV43cnVUIfsFokH27u YSyYubZvha/DtdpGAXUyjIgNWTMAaoQuybo+J800Eu2YmeEqAN1G5u955CTSrgD0Ip9C Bsk3yuRNVs2ZBSGy3EVUu493+AJdo/vjyoXpfFcp1Ogh6mqqRybx+itXXDgxjF1tCZ2U uqD9C46qCilBGE4Eodo/Ba0zKb/Vn98shHxlBVnhahIXenB/gtWcHIZ/rIh7LN1dX0xg g0Wt96B1IpufKRBe/LyuLmwcx9cf3z41jXlKrimqpOF56y0ug3m+HeNatIEtWBjITiyf fCPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yonsei-ac-kr.20210112.gappssmtp.com header.s=20210112 header.b="s/CBoNAQ"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yonsei.ac.kr Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lk13-20020a17090b33cd00b00212de1542cesi9505154pjb.92.2022.10.24.00.17.21; Mon, 24 Oct 2022 00:17:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yonsei-ac-kr.20210112.gappssmtp.com header.s=20210112 header.b="s/CBoNAQ"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yonsei.ac.kr Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230396AbiJXHNq (ORCPT + 65 others); Mon, 24 Oct 2022 03:13:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230164AbiJXHNo (ORCPT ); Mon, 24 Oct 2022 03:13:44 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE8FA59256 for ; Mon, 24 Oct 2022 00:13:37 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id t10-20020a17090a4e4a00b0020af4bcae10so8391503pjl.3 for ; Mon, 24 Oct 2022 00:13:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yonsei-ac-kr.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c1dsXFHKEvPw/aJ1Uon9oecdo5dPhwSf08ZsRBZOkf4=; b=s/CBoNAQiw00CDQasqZB4ix315K6WYT4yuLlPSOLSvH9ftuay2OHpJpnxgVA/EspPJ WMUzMNIbgH38szsXtADRzHKfzOVMV9BZqbVH2dqnUFckjTP+HRBB6FdaIBIQDVGoXFWT odFLF2utuS/9hVwivNkPNL8uDlTeqeKkXcioW4ml0bgl3EyqLEc8fpYpo8ysVBRWKQpY 3NO3W0k/timkXIDorTtOznyXoS6E4brjJ47mX19TKvhwfAQ2IEja8auQo86+leyohoX3 bVSYYLJ2VtOcavyefZNIzYv7z6sIfbhhWvt4YkODYfsWL6TH4f/qlmIPlwE74tqI8dM2 e2gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c1dsXFHKEvPw/aJ1Uon9oecdo5dPhwSf08ZsRBZOkf4=; b=yMXeyEReOUIwRvSfRL00/tfe+t/TZkfdfKj6991eGz77ACfNN4o+aUK9A+1CYY+2uN yIh0FRtTLdvhji01F/rrXtVa0F/SDOvRLbM2Mh2hnfWaV+Wc5E98JUP74+GHc/DCZZoB 0eYJjnZyTcPIpoR9xWsGtgSSVDf+9/jDp5EKR0qJCCPs4w5dgA69YisjE+Y2/DPQOu/r Br9W/ZYhoEMh28eH3SsiO3BiKGaP9j16HlI7yxy4dPmDunQ8/qkArYPHvce0B5eMs1oH FRKPOTdC2dD+hblTrNDOCCZzKK93pjk1HZyt56zY7UMSpaN0FpqlEOVGaHbPESwmehGe hlrA== X-Gm-Message-State: ACrzQf0flw9xo3cyfPPnVcQhBQC/AK3Wxt5CioZ1zLs2uuxXOCnErvnE 2qbUBZHM9hH6w5jQaFEegPu0o/ZAyRWcWg== X-Received: by 2002:a17:903:11c8:b0:179:de93:bd7e with SMTP id q8-20020a17090311c800b00179de93bd7emr32477018plh.95.1666595615684; Mon, 24 Oct 2022 00:13:35 -0700 (PDT) Received: from localhost.localdomain ([165.132.118.52]) by smtp.gmail.com with ESMTPSA id f2-20020a17090a664200b001f94d25bfabsm3538291pjm.28.2022.10.24.00.13.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 00:13:35 -0700 (PDT) From: Minsuk Kang To: linux-wireless@vger.kernel.org, aspriel@gmail.com Cc: dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang Subject: [PATCH] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Date: Mon, 24 Oct 2022 16:13:29 +0900 Message-Id: <20221024071329.504277-1-linuxlovemin@yonsei.ac.kr> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org This patch fixes a shift-out-of-bounds in brcmfmac that occurs in BIT(chiprev) when a 'chiprev' provided by the device is too large. It should also not be equal to or greater than BITS_PER_TYPE(u32) as we do bitwise AND with a u32 variable and BIT(chiprev). The patch adds a check that makes the function return NULL if that is the case. Note that the NULL case is later handled by the bus-specific caller, brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example. Found by a modified version of syzkaller. UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c shift exponent 151055786 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d ubsan_epilogue+0x5/0x40 __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb ? lock_chain_count+0x20/0x20 brcmf_fw_alloc_request.cold+0x19/0x3ea ? brcmf_fw_get_firmwares+0x250/0x250 ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 brcmf_usb_get_fwname+0x114/0x1a0 ? brcmf_usb_reset_resume+0x120/0x120 ? number+0x6c4/0x9a0 brcmf_c_process_clm_blob+0x168/0x590 ? put_dec+0x90/0x90 ? enable_ptr_key_workfn+0x20/0x20 ? brcmf_common_pd_remove+0x50/0x50 ? rcu_read_lock_sched_held+0xa1/0xd0 brcmf_c_preinit_dcmds+0x673/0xc40 ? brcmf_c_set_joinpref_default+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lock_acquire+0x19d/0x4e0 ? find_held_lock+0x2d/0x110 ? brcmf_usb_deq+0x1cc/0x260 ? mark_held_locks+0x9f/0xe0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? _raw_spin_unlock_irqrestore+0x47/0x50 ? trace_hardirqs_on+0x1c/0x120 ? brcmf_usb_deq+0x1a7/0x260 ? brcmf_usb_rx_fill_all+0x5a/0xf0 brcmf_attach+0x246/0xd40 ? wiphy_new_nm+0x1476/0x1d50 ? kmemdup+0x30/0x40 brcmf_usb_probe+0x12de/0x1690 ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 ? usb_match_id.part.0+0x88/0xc0 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __mutex_unlock_slowpath+0xe7/0x660 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_set_configuration+0x984/0x1770 ? kernfs_create_link+0x175/0x230 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_new_device.cold+0x463/0xf66 ? hub_disconnect+0x400/0x400 ? _raw_spin_unlock_irq+0x24/0x30 hub_event+0x10d5/0x3330 ? hub_port_debounce+0x280/0x280 ? __lock_acquire+0x1671/0x5790 ? wq_calc_node_cpumask+0x170/0x2a0 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x13e0/0x13e0 kthread+0x379/0x450 ? _raw_spin_unlock_irq+0x24/0x30 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x1f/0x30 Reported-by: Dokyung Song Reported-by: Jisoo Jang Reported-by: Minsuk Kang Signed-off-by: Minsuk Kang --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c index f2207793f6e2..09d2f2dc2b46 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c @@ -803,6 +803,11 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev, u32 i, j; char end = '\0'; + if (chiprev >= BITS_PER_TYPE(u32)) { + brcmf_err("Invalid chip revision %u\n", chiprev); + return NULL; + } + for (i = 0; i < table_size; i++) { if (mapping_table[i].chipid == chip && mapping_table[i].revmask & BIT(chiprev)) -- 2.25.1