kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/wifi-rndis_wlan-Prevent-buffer-overflow-in-rndis_que.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   2827685c2b4cb88d28506b0d761675f08c1b9bdf
  2.   patches.suse
  3.   wifi-rndis_wlan-Prevent-buffer-overflow-in-rndis_que.patch
Blob History Raw
Takashi Iwai c70519 
From b870e73a56c4cccbec33224233eaf295839f228c Mon Sep 17 00:00:00 2001
Takashi Iwai c70519 
From: Szymon Heidrich <szymon.heidrich@gmail.com>
Takashi Iwai c70519 
Date: Wed, 11 Jan 2023 18:50:31 +0100
Takashi Iwai c70519 
Subject: [PATCH] wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
Takashi Iwai c70519 
Git-commit: b870e73a56c4cccbec33224233eaf295839f228c
Takashi Iwai c70519 
Patch-mainline: v6.2-rc5
Takashi Iwai c70519 
References: git-fixes
Takashi Iwai c70519
Takashi Iwai c70519 
Since resplen and respoffs are signed integers sufficiently
Takashi Iwai c70519 
large values of unsigned int len and offset members of RNDIS
Takashi Iwai c70519 
response will result in negative values of prior variables.
Takashi Iwai c70519 
This may be utilized to bypass implemented security checks
Takashi Iwai c70519 
to either extract memory contents by manipulating offset or
Takashi Iwai c70519 
overflow the data buffer via memcpy by manipulating both
Takashi Iwai c70519 
offset and len.
Takashi Iwai c70519
Takashi Iwai c70519 
Additionally assure that sum of resplen and respoffs does not
Takashi Iwai c70519 
overflow so buffer boundaries are kept.
Takashi Iwai c70519
Takashi Iwai c70519 
Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
Takashi Iwai c70519 
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Takashi Iwai c70519 
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Takashi Iwai c70519 
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Takashi Iwai c70519 
Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
Takashi Iwai c70519 
Acked-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai c70519
Takashi Iwai c70519 
---
Takashi Iwai c70519 
 drivers/net/wireless/rndis_wlan.c | 19 ++++++-------------
Takashi Iwai c70519 
 1 file changed, 6 insertions(+), 13 deletions(-)
Takashi Iwai c70519
Takashi Iwai c70519 
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
Takashi Iwai c70519 
index 82a7458e01ae..bf72e5fd39cf 100644
Takashi Iwai c70519 
--- a/drivers/net/wireless/rndis_wlan.c
Takashi Iwai c70519 
+++ b/drivers/net/wireless/rndis_wlan.c
Takashi Iwai c70519 
@@ -696,8 +696,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
Takashi Iwai c70519 
 		struct rndis_query	*get;
Takashi Iwai c70519 
 		struct rndis_query_c	*get_c;
Takashi Iwai c70519 
 	} u;
Takashi Iwai c70519 
-	int ret, buflen;
Takashi Iwai c70519 
-	int resplen, respoffs, copylen;
Takashi Iwai c70519 
+	int ret;
Takashi Iwai c70519 
+	size_t buflen, resplen, respoffs, copylen;
Takashi Iwai c70519
Takashi Iwai c70519 
 	buflen = *len + sizeof(*u.get);
Takashi Iwai c70519 
 	if (buflen < CONTROL_BUFFER_SIZE)
Takashi Iwai c70519 
@@ -732,22 +732,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
Takashi Iwai c70519
Takashi Iwai c70519 
 		if (respoffs > buflen) {
Takashi Iwai c70519 
 			/* Device returned data offset outside buffer, error. */
Takashi Iwai c70519 
-			netdev_dbg(dev->net, "%s(%s): received invalid "
Takashi Iwai c70519 
-				"data offset: %d > %d\n", __func__,
Takashi Iwai c70519 
-				oid_to_string(oid), respoffs, buflen);
Takashi Iwai c70519 
+			netdev_dbg(dev->net,
Takashi Iwai c70519 
+				   "%s(%s): received invalid data offset: %zu > %zu\n",
Takashi Iwai c70519 
+				   __func__, oid_to_string(oid), respoffs, buflen);
Takashi Iwai c70519
Takashi Iwai c70519 
 			ret = -EINVAL;
Takashi Iwai c70519 
 			goto exit_unlock;
Takashi Iwai c70519 
 		}
Takashi Iwai c70519
Takashi Iwai c70519 
-		if ((resplen + respoffs) > buflen) {
Takashi Iwai c70519 
-			/* Device would have returned more data if buffer would
Takashi Iwai c70519 
-			 * have been big enough. Copy just the bits that we got.
Takashi Iwai c70519 
-			 */
Takashi Iwai c70519 
-			copylen = buflen - respoffs;
Takashi Iwai c70519 
-		} else {
Takashi Iwai c70519 
-			copylen = resplen;
Takashi Iwai c70519 
-		}
Takashi Iwai c70519 
+		copylen = min(resplen, buflen - respoffs);
Takashi Iwai c70519
Takashi Iwai c70519 
 		if (copylen > *len)
Takashi Iwai c70519 
 			copylen = *len;
Takashi Iwai c70519 
--
Takashi Iwai c70519 
2.35.3
Takashi Iwai c70519
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.