Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9840195rwl; Wed, 11 Jan 2023 10:40:36 -0800 (PST) X-Google-Smtp-Source: AMrXdXtMsDoHs3Drm70MISbTmgqJhsQ9n4zBn/Y/bPWdG5uuYuPL/oq8p5AqgTXtUPCV64AGU0y8 X-Received: by 2002:a17:906:92d2:b0:861:3ed5:e029 with SMTP id d18-20020a17090692d200b008613ed5e029mr1732450ejx.49.1673462436538; Wed, 11 Jan 2023 10:40:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673462436; cv=none; d=google.com; s=arc-20160816; b=Ybhf11szzm8zAuT4EXHo9LOIdTPmjQA3Kvc+Kre0Gd07UwLho7h0g83kr/AINN4LHX qBAY2xr5qyZIEBrMAMoWm57GrhH47jy5FCvigUFXFplyJP2P+tmd8ZueOJHGE7jJYsM+ jmrNIZwDl364gizlJqgVsrYzqYN/zzCEdI6ZbgMSBdop7VgR3EvrQOhaROQR+4ultKIK +MDHBD4tLWz+mYHDE3tpZvufKIPlsk6nWlYcWwZNeYHgaayUaopc1uhuZfTrsJcvgGcc 9nZyBlITCUWpiFdA4OxKoTEaIDK9u4n9bEwqyF54cCtcoh3Fy5588qcWGgzugkxqSPja sI6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8rjvOq9k/F/pv9zTj8LqXw/+Mi7PQp9geFeWzmYvddk=; b=bMwK57Frp5lL4+uUYw9D+EY9C79VOPhC6Rc8pp1YpsXrbJOKk2WuD5SB/Bpu7Zm1a6 QNOjALCDfCrY949B414fsaOE4BYfYST/MPRiCUi0ztvQF5zDoWuVKV/Ud3Z+gx/HLt2O q4QlVCzN2kACsXWOqCemnDBCT6zSgUwuQPRtNvRNO0DY4d/oLqos+VeGcw8UmjqmOs0Y MlsFc0FDWhzRWW2q0XfqUdGrrh4JOu4og6sbVjkzmh0vzcskam4+SmiBGAbtQDuob5RV n5070FfazXYpCZdcXEwsb5m11eaShDBSwRXderN13IA/yCirrnCAKlfSF6oEMgkNEPMo gp+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=FeVvk402; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h9-20020a05640250c900b0046abe52aca7si17366730edb.486.2023.01.11.10.40.15; Wed, 11 Jan 2023 10:40:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=FeVvk402; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231511AbjAKSa3 (ORCPT + 66 others); Wed, 11 Jan 2023 13:30:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235083AbjAKS2Z (ORCPT ); Wed, 11 Jan 2023 13:28:25 -0500 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD9BF33D46; Wed, 11 Jan 2023 10:28:24 -0800 (PST) Received: by mail-pg1-x52c.google.com with SMTP id 141so11163050pgc.0; Wed, 11 Jan 2023 10:28:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8rjvOq9k/F/pv9zTj8LqXw/+Mi7PQp9geFeWzmYvddk=; b=FeVvk402TAjY56JdUzGjDzoU4373hWMaJ094pEdCu3oCKpaH2Q7jIhMaOkx7KoBTB6 27b8L0KHRC+P3y7kvNvv+/jZHMLk3Ss2omvFFs+L2gYtzj26dp6KCkcXlnGQ1EIR1FRA wcrQpHKdmBjlkyF+C+3v+l9h2bIA4uXl/NtjBUM2sTKUgDIQjGMak7gahl+qp80QKpty WVwri5g7DN6rkZxU6APSsLwZ5Vi6jj4B5kUg4PCDsQdE6IoVwZQnyFLvq46r5DgU/bMv kVYGsKOa4VgH4XeobBlXtZFL6tI2jCzNYk1wLwrqVKd+CAzgkhro6WhyeE8eQftwJex0 XWMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8rjvOq9k/F/pv9zTj8LqXw/+Mi7PQp9geFeWzmYvddk=; b=2qX5dxU0CyTzetdO9+sGw5R/yEsYZafJg7F4h42LO3BxaqRp41XdYf4B8As3UTkQt0 ILMhXCDNcigKxzLLyzPSkKmKA9nQl6QtE0oGs40sYDr+rjr0GX6bl/Pt8RLDG4nXVBjy e7cnxJgPU8xc70ugIyd4D/9y7Ek3of4XkVLseBzPE4dKS2+OsWqhrlMQ4yGNP8qLOXQN ctY9dRTozUJfPdnAeIxXqILSzIaPgaHyzMEgLNNEgu+A/LHp9Lr+7Gg+20NugzUhZWuB f2iR2aaLgFbSP2iQrx43ClkU6CPvShxvmobSlasc7tUIVrSc7TcSkUhlOpUSUSM2eCbd M8OA== X-Gm-Message-State: AFqh2krlQQ+Iyx4iLVA9wIqnlXXRbYTY3mvA0B4OzFQRqFhu/M/FUKnR 1ks/aaLBVtQCZm5yb7xx/26u8V8H1ZR42BjVXZM= X-Received: by 2002:a62:1853:0:b0:586:2b38:4927 with SMTP id 80-20020a621853000000b005862b384927mr1624860pfy.53.1673461704120; Wed, 11 Jan 2023 10:28:24 -0800 (PST) MIME-Version: 1.0 References: <20230111175031.7049-1-szymon.heidrich@gmail.com> In-Reply-To: <20230111175031.7049-1-szymon.heidrich@gmail.com> From: Alexander Duyck Date: Wed, 11 Jan 2023 10:28:12 -0800 Message-ID: Subject: Re: [PATCH v2] rndis_wlan: Prevent buffer overflow in rndis_query_oid To: Szymon Heidrich Cc: kvalo@kernel.org, jussi.kivilinna@iki.fi, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, greg@kroah.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, Jan 11, 2023 at 9:51 AM Szymon Heidrich wrote: > > Since resplen and respoffs are signed integers sufficiently > large values of unsigned int len and offset members of RNDIS > response will result in negative values of prior variables. > This may be utilized to bypass implemented security checks > to either extract memory contents by manipulating offset or > overflow the data buffer via memcpy by manipulating both > offset and len. > > Additionally assure that sum of resplen and respoffs does not > overflow so buffer boundaries are kept. > > Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") > Signed-off-by: Szymon Heidrich > --- > V1 -> V2: Use size_t and min macro, fix netdev_dbg format > > drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- > 1 file changed, 6 insertions(+), 13 deletions(-) > > diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c > index 82a7458e0..bf72e5fd3 100644 > --- a/drivers/net/wireless/rndis_wlan.c > +++ b/drivers/net/wireless/rndis_wlan.c > @@ -696,8 +696,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) > struct rndis_query *get; > struct rndis_query_c *get_c; > } u; > - int ret, buflen; > - int resplen, respoffs, copylen; > + int ret; > + size_t buflen, resplen, respoffs, copylen; > > buflen = *len + sizeof(*u.get); > if (buflen < CONTROL_BUFFER_SIZE) > @@ -732,22 +732,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) > > if (respoffs > buflen) { > /* Device returned data offset outside buffer, error. */ > - netdev_dbg(dev->net, "%s(%s): received invalid " > - "data offset: %d > %d\n", __func__, > - oid_to_string(oid), respoffs, buflen); > + netdev_dbg(dev->net, > + "%s(%s): received invalid data offset: %zu > %zu\n", > + __func__, oid_to_string(oid), respoffs, buflen); > > ret = -EINVAL; > goto exit_unlock; > } > > - if ((resplen + respoffs) > buflen) { > - /* Device would have returned more data if buffer would > - * have been big enough. Copy just the bits that we got. > - */ > - copylen = buflen - respoffs; > - } else { > - copylen = resplen; > - } > + copylen = min(resplen, buflen - respoffs); > > if (copylen > *len) > copylen = *len; Looks good to me. Reviewed-by: Alexander Duyck