Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp352039rwb; Thu, 1 Dec 2022 03:06:00 -0800 (PST) X-Google-Smtp-Source: AA0mqf4Vrhq2wlq1X1O89F01z9qG2EYdXfVrYdVbl8Jj/8u5LgFTQIAcMAopQU6QdFw72VBkfEh/ X-Received: by 2002:a17:907:8c83:b0:7bf:4ac7:56e4 with SMTP id td3-20020a1709078c8300b007bf4ac756e4mr17669838ejc.39.1669892759834; Thu, 01 Dec 2022 03:05:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669892759; cv=none; d=google.com; s=arc-20160816; b=nxD89ZFt/z3/fey3gfEnX5WvVdd8oKbZmTTHYOLSZmx0/5oQrVn33V3GD1d8rkZBpz +ZkO1/V6PvgYL4hNj5EOQLrKJ31mAdcQc6nQYxcpsO2WHTrFHO8zVvM/aqdCFgHqNcZl kONoRJlQaefFG0M9afVGdtqEdqz7PJ+OVSGGhKWeD9glFTtq6FzFTJjdJTibfBFjR9NS vHRCijvAu6RHrVH80XiSs9lDwdOR2F4WdV+6fAe+pXBB3PULZsqSr390oMC4c0sGvdLh 0fkPLXQOyH+qwyABiVihvcQiWRkcODQSy7RWkm1TXElHinR6m6Z1Q/eHw+8ixAi04XcV IjkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:message-id:user-agent:cc:to:references :in-reply-to:from:subject:content-transfer-encoding:mime-version :dkim-signature; bh=NKSXRKku0xSk63SM/OTvahH2/4kjRaUNsQ1KzCJlQ8Y=; b=Es0AnWCUWxKLVpeuIOfPv+17t8muFC12DokS3IpivrDOg0WCX5NoXtJqhGF+j8xgUI r5ojyE9kJhZJGrBtFCqa0OZBQfXQKZdxzAgpmTF7lB5aDiqgNVTJVmQEbTlPGhbZWJu3 Ul6A+DMhCOOJbBXWG/z/XLTsY0nXZh6Y2Vg+KxzhVnmjscX9B0tK9eK9uiV8sVzC26xp WHz0oPxf8H4JOpWuu6tZwLLfemzF0ipJI5l3gSHgyPtuFOwdPsE8D86/4jmCjhyvsyu0 s4rtjaRJBKOTviJdFZkR6pa/0VYIBQyvwvQk+RgZZdggl4Igo/0+0yMrK7Xdlga1vh2G zCrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b4NJCV+R; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h24-20020a0564020e9800b00462f4ea167esi3270453eda.315.2022.12.01.03.05.42; Thu, 01 Dec 2022 03:05:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b4NJCV+R; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229486AbiLALDW (ORCPT + 68 others); Thu, 1 Dec 2022 06:03:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230063AbiLALCy (ORCPT ); Thu, 1 Dec 2022 06:02:54 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66542AB033 for ; Thu, 1 Dec 2022 03:02:19 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 25326B81EE6 for ; Thu, 1 Dec 2022 11:02:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 619EBC433C1; Thu, 1 Dec 2022 11:02:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1669892534; bh=MOjyz+PDtX56dlgPlRyCFhH/x3jifrWuzOqZpl9+xwU=; h=Subject:From:In-Reply-To:References:To:Cc:Date:From; b=b4NJCV+R2kuLSsXYVnjW7FkQgbuNXkRT07J+uisiZUyu4UAarQzH9cheHGGa+qQ9V keonWl6SauLIBknWzsFmAnLL6uziPGCiCIQMTgOAFJVjl05g7rDSSZ+1tobRdieDEe qQ/S9jkMS5lDliuagj9QKL7FXC2jLiOkhY1DJsbZ7LAAc3X/uoriVp8tr/o/bgxQe4 WtYw/taRjkNh1DpBv/zXTO58yGtQR/X2Hwea7+0GbO8TQfePyV4I8OyERDLJH3R5s4 ks9sGTM/XTXXLfO7ZO91/6t38wr4vY2YkfFkMM/tq2aRoMM2Qp5/ZOrQjKjya2RA47 J//pj51X4o17w== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [PATCH v2] wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads From: Kalle Valo In-Reply-To: <20221116142952.518241-1-linuxlovemin@yonsei.ac.kr> References: <20221116142952.518241-1-linuxlovemin@yonsei.ac.kr> To: Minsuk Kang Cc: linux-wireless@vger.kernel.org, arend.vanspriel@broadcom.com, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang User-Agent: pwcli/0.1.1-git (https://github.com/kvalo/pwcli/) Python/3.7.3 Message-ID: <166989252803.31196.16218805940301074882.kvalo@kernel.org> Date: Thu, 1 Dec 2022 11:02:13 +0000 (UTC) X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Minsuk Kang wrote: > This patch fixes slab-out-of-bounds reads in brcmfmac that occur in > brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count > value of channel specifications provided by the device is greater than > the length of 'list->element[]', decided by the size of the 'list' > allocated with kzalloc(). The patch adds checks that make the functions > free the buffer and return -EINVAL if that is the case. Note that the > negative return is handled by the caller, brcmf_setup_wiphybands() or > brcmf_cfg80211_attach(). > > Found by a modified version of syzkaller. > > Crash Report from brcmf_construct_chaninfo(): > ================================================================== > BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430 > Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896 > > CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: usb_hub_wq hub_event > Call Trace: > dump_stack_lvl+0x57/0x7d > print_address_description.constprop.0.cold+0x93/0x334 > kasan_report.cold+0x83/0xdf > brcmf_setup_wiphybands+0x1238/0x1430 > brcmf_cfg80211_attach+0x2118/0x3fd0 > brcmf_attach+0x389/0xd40 > brcmf_usb_probe+0x12de/0x1690 > usb_probe_interface+0x25f/0x710 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_set_configuration+0x984/0x1770 > usb_generic_driver_probe+0x69/0x90 > usb_probe_device+0x9c/0x220 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_new_device.cold+0x463/0xf66 > hub_event+0x10d5/0x3330 > process_one_work+0x873/0x13e0 > worker_thread+0x8b/0xd10 > kthread+0x379/0x450 > ret_from_fork+0x1f/0x30 > > Allocated by task 1896: > kasan_save_stack+0x1b/0x40 > __kasan_kmalloc+0x7c/0x90 > kmem_cache_alloc_trace+0x19e/0x330 > brcmf_setup_wiphybands+0x290/0x1430 > brcmf_cfg80211_attach+0x2118/0x3fd0 > brcmf_attach+0x389/0xd40 > brcmf_usb_probe+0x12de/0x1690 > usb_probe_interface+0x25f/0x710 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_set_configuration+0x984/0x1770 > usb_generic_driver_probe+0x69/0x90 > usb_probe_device+0x9c/0x220 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_new_device.cold+0x463/0xf66 > hub_event+0x10d5/0x3330 > process_one_work+0x873/0x13e0 > worker_thread+0x8b/0xd10 > kthread+0x379/0x450 > ret_from_fork+0x1f/0x30 > > The buggy address belongs to the object at ffff888115f24000 > which belongs to the cache kmalloc-2k of size 2048 > The buggy address is located 1536 bytes inside of > 2048-byte region [ffff888115f24000, ffff888115f24800) > > Memory state around the buggy address: > ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > Crash Report from brcmf_enable_bw40_2g(): > ================================================================== > BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0 > Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896 > > CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: usb_hub_wq hub_event > Call Trace: > dump_stack_lvl+0x57/0x7d > print_address_description.constprop.0.cold+0x93/0x334 > kasan_report.cold+0x83/0xdf > brcmf_cfg80211_attach+0x3d11/0x3fd0 > brcmf_attach+0x389/0xd40 > brcmf_usb_probe+0x12de/0x1690 > usb_probe_interface+0x25f/0x710 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_set_configuration+0x984/0x1770 > usb_generic_driver_probe+0x69/0x90 > usb_probe_device+0x9c/0x220 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_new_device.cold+0x463/0xf66 > hub_event+0x10d5/0x3330 > process_one_work+0x873/0x13e0 > worker_thread+0x8b/0xd10 > kthread+0x379/0x450 > ret_from_fork+0x1f/0x30 > > Allocated by task 1896: > kasan_save_stack+0x1b/0x40 > __kasan_kmalloc+0x7c/0x90 > kmem_cache_alloc_trace+0x19e/0x330 > brcmf_cfg80211_attach+0x3302/0x3fd0 > brcmf_attach+0x389/0xd40 > brcmf_usb_probe+0x12de/0x1690 > usb_probe_interface+0x25f/0x710 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_set_configuration+0x984/0x1770 > usb_generic_driver_probe+0x69/0x90 > usb_probe_device+0x9c/0x220 > really_probe+0x1be/0xa90 > __driver_probe_device+0x2ab/0x460 > driver_probe_device+0x49/0x120 > __device_attach_driver+0x18a/0x250 > bus_for_each_drv+0x123/0x1a0 > __device_attach+0x207/0x330 > bus_probe_device+0x1a2/0x260 > device_add+0xa61/0x1ce0 > usb_new_device.cold+0x463/0xf66 > hub_event+0x10d5/0x3330 > process_one_work+0x873/0x13e0 > worker_thread+0x8b/0xd10 > kthread+0x379/0x450 > ret_from_fork+0x1f/0x30 > > The buggy address belongs to the object at ffff888103787000 > which belongs to the cache kmalloc-2k of size 2048 > The buggy address is located 1536 bytes inside of > 2048-byte region [ffff888103787000, ffff888103787800) > > Memory state around the buggy address: > ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > Reported-by: Dokyung Song > Reported-by: Jisoo Jang > Reported-by: Minsuk Kang > Reviewed-by: Arend van Spriel > Signed-off-by: Minsuk Kang Patch applied to wireless-next.git, thanks. 4920ab131b2d wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads -- https://patchwork.kernel.org/project/linux-wireless/patch/20221116142952.518241-1-linuxlovemin@yonsei.ac.kr/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches