Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp320075rwj;
        Thu, 22 Dec 2022 08:08:14 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvOzcA72AYc0B5T5+sPiPQL0/B+VHckxjq45k8ING5Opk0MnqEXXqoVdF05kMxTSBGEwFky
X-Received: by 2002:a62:e30e:0:b0:580:15c0:da6d with SMTP id g14-20020a62e30e000000b0058015c0da6dmr6740119pfh.9.1671725293798;
        Thu, 22 Dec 2022 08:08:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671725293; cv=none;
        d=google.com; s=arc-20160816;
        b=0IR1xM7BDovux7Oc9/cQLuSMQLc1E1Szq/hH/Z4I+GfPXBYIXyLC9C082ND1uArFDj
         Ac7G/4GYQojeH33r1bZzSfZGZov/meCn8CHAHZIaZvQ0HU0x9OTOjCpf7+zdASzHj7Sw
         sBQxxAtgKkltl4UfutScqIkTAf9ofa6fBFyrrcrWPk85CyHSluXDkvahkmq1yS5Wfrg9
         RARs7998lDEBUXROEwxvLYMxrO1onRslqTid1pg7Xt31EP7ACemiiL8/0s99Ghrqrdcs
         ELm4qP+jjE9dIIrT1xCSYrJl53Qg4JkCcSJKKMHkzWjx7F4z3/WvxjCEm/j4Ia9U/fGv
         NcNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:date:message-id:user-agent:cc:to:references
         :in-reply-to:from:subject:content-transfer-encoding:mime-version
         :dkim-signature;
        bh=27p/lXNnvHu5zaHmh6BKoDuvgLlK1UGzbMcSdGh6ZtM=;
        b=gbWw4NFxEmT0FcIrViLNEixba5p6m/YZFpE0k453GL//dZ/LJiQldtH4KW8yzev4Dp
         sE+xOidOf9TZsLXWFhTWGkgyr7xmCSxUJo/28f+Jw2vnipKWGSUnGMbQkfuMhgReaQA9
         yWjaKww0yqNYKFNSoXnKNOci+q6uYxVabTwbQjVSaWB1zLzZtzLmR9ExUMvFJeYoFm9/
         pwUusLwVHGJ/Hpa+NE9JZYoBOsf9OJYNTCEUx6FdEUk26RbMIrJh3svnnGhDjtlJeGgK
         +ViKXODi4BN+t4eLU65aIl5SFZoIrVOo1HDktrItpkcJNFlc7CD7vXM/Awm2YpU+iwQB
         bAeg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=EByVvvDx;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w22-20020a056a0014d600b0058082215c75si327782pfu.288.2022.12.22.08.08.05;
        Thu, 22 Dec 2022 08:08:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=EByVvvDx;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229830AbiLVQHO (ORCPT <rfc822;hsy1995313@gmail.com> + 66 others);
        Thu, 22 Dec 2022 11:07:14 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35024 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229807AbiLVQHL (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 22 Dec 2022 11:07:11 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E68AB1F6
        for <linux-wireless@vger.kernel.org>; Thu, 22 Dec 2022 08:07:10 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 83A9A61C36
        for <linux-wireless@vger.kernel.org>; Thu, 22 Dec 2022 16:07:10 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C94F0C433EF;
        Thu, 22 Dec 2022 16:07:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1671725230;
        bh=+uspjCzjcti6ukPTfgGsURFsweIW8Xhj0J0BTDHNknA=;
        h=Subject:From:In-Reply-To:References:To:Cc:Date:From;
        b=EByVvvDxPOy0w/cpds1Bz1HG7p4pBUbs3o9L70d4o02SWSyyjwT6QuRMwy+Kd3JxJ
         Y2n16okenFO2LsQOmDfsM2vgUj5oJkjKii7eBwo+89VrCrLOreBPubasMidRe1aJ5N
         3H2K5d5+mUV6K5p1F5KKAy6hcYJaNgzVFzXSNfImAedbkAPLi7RM9tB0BA/dVa+lLF
         AWQtr6x40ILKslRwYHVGCA3cQ8/SDYTUJpaSLRFbzAh9+GyrlaCfBQQoe12xbw1gqu
         OumloqN1HDGfzCPmr8641du15gHC7+oFyyry0yLEQjqwUnlWLuukeRblHeLEfanQoW
         MTigr0Fq1s9pw==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [PATCH] wifi: brcmfmac: Fix potential stack-out-of-bounds in
 brcmf_c_preinit_dcmds()
From:   Kalle Valo <kvalo@kernel.org>
In-Reply-To: <20221115043458.37562-1-jisoo.jang@yonsei.ac.kr>
References: <20221115043458.37562-1-jisoo.jang@yonsei.ac.kr>
To:     Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Cc:     aspriel@gmail.com, linux-wireless@vger.kernel.org,
        Dokyung Song <dokyungs@yonsei.ac.kr>,
        Minsuk Kang <linuxlovemin@yonsei.ac.kr>
User-Agent: pwcli/0.1.1-git (https://github.com/kvalo/pwcli/) Python/3.7.3
Message-ID: <167172522689.8231.12407819211447694600.kvalo@kernel.org>
Date:   Thu, 22 Dec 2022 16:07:08 +0000 (UTC)
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Jisoo Jang <jisoo.jang@yonsei.ac.kr> wrote:

> This patch fixes a stack-out-of-bounds read in brcmfmac that occurs
> when 'buf' that is not null-terminated is passed as an argument of 
> strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware 
> version string by memcpy() in brcmf_fil_iovar_data_get().
> The patch ensures buf is null-terminated.
> 
> Found by a modified version of syzkaller.
> 
> [   47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3
> [   47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
> [   47.601565][ T1897] ==================================================================
> [   47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0
> [   47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897
> [   47.604336][ T1897] 
> [   47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #131
> [   47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> [   47.606907][ T1897] Workqueue: usb_hub_wq hub_event
> [   47.607453][ T1897] Call Trace:
> [   47.607801][ T1897]  dump_stack_lvl+0x8e/0xd1
> [   47.608295][ T1897]  print_address_description.constprop.0.cold+0xf/0x334
> [   47.609009][ T1897]  ? strsep+0x1b2/0x1f0
> [   47.609434][ T1897]  ? strsep+0x1b2/0x1f0
> [   47.609863][ T1897]  kasan_report.cold+0x83/0xdf
> [   47.610366][ T1897]  ? strsep+0x1b2/0x1f0
> [   47.610882][ T1897]  strsep+0x1b2/0x1f0
> [   47.611300][ T1897]  ? brcmf_fil_iovar_data_get+0x3a/0xf0
> [   47.611883][ T1897]  brcmf_c_preinit_dcmds+0x995/0xc40
> [   47.612434][ T1897]  ? brcmf_c_set_joinpref_default+0x100/0x100
> [   47.613078][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0
> [   47.613662][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0
> [   47.614208][ T1897]  ? lock_acquire+0x19d/0x4e0
> [   47.614704][ T1897]  ? find_held_lock+0x2d/0x110
> [   47.615236][ T1897]  ? brcmf_usb_deq+0x1a7/0x260
> [   47.615741][ T1897]  ? brcmf_usb_rx_fill_all+0x5a/0xf0
> [   47.616288][ T1897]  brcmf_attach+0x246/0xd40
> [   47.616758][ T1897]  ? wiphy_new_nm+0x1703/0x1dd0
> [   47.617280][ T1897]  ? kmemdup+0x43/0x50
> [   47.617720][ T1897]  brcmf_usb_probe+0x12de/0x1690
> [   47.618244][ T1897]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
> [   47.618901][ T1897]  usb_probe_interface+0x2aa/0x760
> [   47.619429][ T1897]  ? usb_probe_device+0x250/0x250
> [   47.619950][ T1897]  really_probe+0x205/0xb70
> [   47.620435][ T1897]  ? driver_allows_async_probing+0x130/0x130
> [   47.621048][ T1897]  __driver_probe_device+0x311/0x4b0
> [   47.621595][ T1897]  ? driver_allows_async_probing+0x130/0x130
> [   47.622209][ T1897]  driver_probe_device+0x4e/0x150
> [   47.622739][ T1897]  __device_attach_driver+0x1cc/0x2a0
> [   47.623287][ T1897]  bus_for_each_drv+0x156/0x1d0
> [   47.623796][ T1897]  ? bus_rescan_devices+0x30/0x30
> [   47.624309][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> [   47.624907][ T1897]  ? trace_hardirqs_on+0x46/0x160
> [   47.625437][ T1897]  __device_attach+0x23f/0x3a0
> [   47.625924][ T1897]  ? device_bind_driver+0xd0/0xd0
> [   47.626433][ T1897]  ? kobject_uevent_env+0x287/0x14b0
> [   47.627057][ T1897]  bus_probe_device+0x1da/0x290
> [   47.627557][ T1897]  device_add+0xb7b/0x1eb0
> [   47.628027][ T1897]  ? wait_for_completion+0x290/0x290
> [   47.628593][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
> [   47.629249][ T1897]  usb_set_configuration+0xf59/0x16f0
> [   47.629829][ T1897]  usb_generic_driver_probe+0x82/0xa0
> [   47.630385][ T1897]  usb_probe_device+0xbb/0x250
> [   47.630927][ T1897]  ? usb_suspend+0x590/0x590
> [   47.631397][ T1897]  really_probe+0x205/0xb70
> [   47.631855][ T1897]  ? driver_allows_async_probing+0x130/0x130
> [   47.632469][ T1897]  __driver_probe_device+0x311/0x4b0
> [   47.633002][ T1897]  ? usb_generic_driver_match+0x75/0x90
> [   47.633573][ T1897]  ? driver_allows_async_probing+0x130/0x130
> [   47.634170][ T1897]  driver_probe_device+0x4e/0x150
> [   47.634703][ T1897]  __device_attach_driver+0x1cc/0x2a0
> [   47.635248][ T1897]  bus_for_each_drv+0x156/0x1d0
> [   47.635748][ T1897]  ? bus_rescan_devices+0x30/0x30
> [   47.636271][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> [   47.636881][ T1897]  ? trace_hardirqs_on+0x46/0x160
> [   47.637396][ T1897]  __device_attach+0x23f/0x3a0
> [   47.637904][ T1897]  ? device_bind_driver+0xd0/0xd0
> [   47.638426][ T1897]  ? kobject_uevent_env+0x287/0x14b0
> [   47.638985][ T1897]  bus_probe_device+0x1da/0x290
> [   47.639512][ T1897]  device_add+0xb7b/0x1eb0
> [   47.639977][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
> [   47.640612][ T1897]  ? kfree+0x14a/0x6b0
> [   47.641055][ T1897]  ? __usb_get_extra_descriptor+0x116/0x160
> [   47.641679][ T1897]  usb_new_device.cold+0x49c/0x1029
> [   47.642245][ T1897]  ? hub_disconnect+0x450/0x450
> [   47.642756][ T1897]  ? rwlock_bug.part.0+0x90/0x90
> [   47.643273][ T1897]  ? _raw_spin_unlock_irq+0x24/0x30
> [   47.643822][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> [   47.644445][ T1897]  hub_event+0x1c98/0x3950
> [   47.644939][ T1897]  ? hub_port_debounce+0x2e0/0x2e0
> [   47.645467][ T1897]  ? check_irq_usage+0x861/0xf20
> [   47.645975][ T1897]  ? drain_workqueue+0x280/0x360
> [   47.646506][ T1897]  ? lock_release+0x640/0x640
> [   47.646994][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0
> [   47.647572][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0
> [   47.648111][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> [   47.648735][ T1897]  process_one_work+0x92b/0x1460
> [   47.649262][ T1897]  ? pwq_dec_nr_in_flight+0x330/0x330
> [   47.649816][ T1897]  ? rwlock_bug.part.0+0x90/0x90
> [   47.650336][ T1897]  worker_thread+0x95/0xe00
> [   47.650830][ T1897]  ? __kthread_parkme+0x115/0x1e0
> [   47.651361][ T1897]  ? process_one_work+0x1460/0x1460
> [   47.651904][ T1897]  kthread+0x3a1/0x480
> [   47.652329][ T1897]  ? set_kthread_struct+0x120/0x120
> [   47.652878][ T1897]  ret_from_fork+0x1f/0x30
> [   47.653370][ T1897] 
> [   47.653608][ T1897] 
> [   47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame:
> [   47.654891][ T1897]  brcmf_c_preinit_dcmds+0x0/0xc40
> [   47.655442][ T1897] 
> [   47.655690][ T1897] this frame has 4 objects:
> [   47.656151][ T1897]  [48, 56) 'ptr'
> [   47.656159][ T1897]  [80, 148) 'revinfo'
> [   47.656534][ T1897]  [192, 210) 'eventmask'
> [   47.656953][ T1897]  [256, 512) 'buf'
> [   47.657410][ T1897] 
> [   47.658035][ T1897] Memory state around the buggy address:
> [   47.658743][ T1897]  ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   47.659577][ T1897]  ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> [   47.661199][ T1897]                    ^
> [   47.661625][ T1897]  ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   47.662455][ T1897]  ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
> [   47.663318][ T1897] ==================================================================
> [   47.664147][ T1897] Disabling lock debugging due to kernel taint
> 
> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>

Patch applied to wireless-next.git, thanks.

0a06cadcc2a0 wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches