| Message ID | 20221021061359.GA550858@laguna (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6788ba8aed4e28e90f72d68a9d794e34eac17295 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker' | expand |
Dokyung Song <dokyung.song@gmail.com> writes: > This patch fixes an intra-object buffer overflow in brcmfmac that occurs > when the device provides a 'bsscfgidx' equal to or greater than the > buffer size. The patch adds a check that leads to a safe failure if that > is the case. > > This fixes CVE-2022-3628. > > UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > index 52 is out of range for type 'brcmf_if *[16]' > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > Call Trace: > dump_stack_lvl+0x57/0x7d > ubsan_epilogue+0x5/0x40 > __ubsan_handle_out_of_bounds+0x69/0x80 > ? memcpy+0x39/0x60 > brcmf_fweh_event_worker+0xae1/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > ================================================================================ > general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN > KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff] > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > brcmf_fweh_event_worker+0x117/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > Modules linked in: 88XXau(O) 88x2bu(O) > ---[ end trace 41d302138f3ff55a ]--- > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Kernel panic - not syncing: Fatal exception > > Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr> > Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr> > Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> > Reviewed-by: Arend van Spriel <aspriel@gmail.com> > Signed-off-by: Dokyung Song <dokyung.song@gmail.com> > --- > v1->v2: Addressed review comments > v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ > 1 file changed, 4 insertions(+) Please include the driver name in the subject. And we prefer use parenthesis with function names. So the subject should be: wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() I can fix that during commit. Should I queue this to v6.1?
On 10/21/2022 8:57 AM, Kalle Valo wrote: > Dokyung Song <dokyung.song@gmail.com> writes: > >> This patch fixes an intra-object buffer overflow in brcmfmac that occurs >> when the device provides a 'bsscfgidx' equal to or greater than the >> buffer size. The patch adds a check that leads to a safe failure if that >> is the case. >> >> This fixes CVE-2022-3628. >> >> UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c >> index 52 is out of range for type 'brcmf_if *[16]' [...] >> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr> >> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr> >> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> >> Reviewed-by: Arend van Spriel <aspriel@gmail.com> >> Signed-off-by: Dokyung Song <dokyung.song@gmail.com> >> --- >> v1->v2: Addressed review comments >> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number >> >> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ >> 1 file changed, 4 insertions(+) > > Please include the driver name in the subject. And we prefer use > parenthesis with function names. So the subject should be: > > wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() > > I can fix that during commit. > > Should I queue this to v6.1? Please do. Probably good to add Cc: for stable. Should apply to older kernels as is. btw. is there any formal way to reference CVE. There probably isn't as generally we don't require a CVE in kernel tree [1]. Regards, Arend [1] https://docs.kernel.org/admin-guide/security-bugs.html
Arend Van Spriel <aspriel@gmail.com> writes: > On 10/21/2022 8:57 AM, Kalle Valo wrote: >> Dokyung Song <dokyung.song@gmail.com> writes: >> >>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs >>> when the device provides a 'bsscfgidx' equal to or greater than the >>> buffer size. The patch adds a check that leads to a safe failure if that >>> is the case. >>> >>> This fixes CVE-2022-3628. >>> >>> UBSAN: array-index-out-of-bounds in >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c >>> index 52 is out of range for type 'brcmf_if *[16]' > > [...] > >>> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr> >>> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr> >>> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> >>> Reviewed-by: Arend van Spriel <aspriel@gmail.com> >>> Signed-off-by: Dokyung Song <dokyung.song@gmail.com> >>> --- >>> v1->v2: Addressed review comments >>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number >>> >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ >>> 1 file changed, 4 insertions(+) >> >> Please include the driver name in the subject. And we prefer use >> parenthesis with function names. So the subject should be: >> >> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() >> >> I can fix that during commit. >> >> Should I queue this to v6.1? > > Please do. Probably good to add Cc: for stable. Should apply to older > kernels as is. Ok, I'll add that as well. > btw. is there any formal way to reference CVE. There probably isn't as > generally we don't require a CVE in kernel tree [1]. I'm not aware of any formal way to mark CVEs. If there are, please let me know :)
On Fri, Oct 21, 2022 at 05:53:54PM +0300, Kalle Valo wrote: > Arend Van Spriel <aspriel@gmail.com> writes: > > > On 10/21/2022 8:57 AM, Kalle Valo wrote: > >> Dokyung Song <dokyung.song@gmail.com> writes: > >> > >>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs > >>> when the device provides a 'bsscfgidx' equal to or greater than the > >>> buffer size. The patch adds a check that leads to a safe failure if that > >>> is the case. > >>> > >>> This fixes CVE-2022-3628. > >>> > >>> UBSAN: array-index-out-of-bounds in > >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > >>> index 52 is out of range for type 'brcmf_if *[16]' > > > > [...] > > > >>> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr> > >>> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr> > >>> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> > >>> Reviewed-by: Arend van Spriel <aspriel@gmail.com> > >>> Signed-off-by: Dokyung Song <dokyung.song@gmail.com> > >>> --- > >>> v1->v2: Addressed review comments > >>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number > >>> > >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ > >>> 1 file changed, 4 insertions(+) > >> > >> Please include the driver name in the subject. And we prefer use > >> parenthesis with function names. So the subject should be: > >> > >> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() > >> > >> I can fix that during commit. That would be greatly appreciated. Let me know if anything further needs fixing. > >> > >> Should I queue this to v6.1? > > > > Please do. Probably good to add Cc: for stable. Should apply to older > > kernels as is. > > Ok, I'll add that as well. > > > btw. is there any formal way to reference CVE. There probably isn't as > > generally we don't require a CVE in kernel tree [1]. > > I'm not aware of any formal way to mark CVEs. If there are, please let > me know :) I am not aware of any either. I looked at other commits and followed recent practice. > > -- > https://patchwork.kernel.org/project/linux-wireless/list/ > > https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Dokyung Song <dokyung.song@gmail.com> wrote: > This patch fixes an intra-object buffer overflow in brcmfmac that occurs > when the device provides a 'bsscfgidx' equal to or greater than the > buffer size. The patch adds a check that leads to a safe failure if that > is the case. > > This fixes CVE-2022-3628. > > UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > index 52 is out of range for type 'brcmf_if *[16]' > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > Call Trace: > dump_stack_lvl+0x57/0x7d > ubsan_epilogue+0x5/0x40 > __ubsan_handle_out_of_bounds+0x69/0x80 > ? memcpy+0x39/0x60 > brcmf_fweh_event_worker+0xae1/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > ================================================================================ > general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN > KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff] > CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > Workqueue: events brcmf_fweh_event_worker > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > brcmf_fweh_event_worker+0x117/0xc00 > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 > ? rcu_read_lock_sched_held+0xa1/0xd0 > ? rcu_read_lock_bh_held+0xb0/0xb0 > ? lockdep_hardirqs_on_prepare+0x273/0x3e0 > process_one_work+0x873/0x13e0 > ? lock_release+0x640/0x640 > ? pwq_dec_nr_in_flight+0x320/0x320 > ? rwlock_bug.part.0+0x90/0x90 > worker_thread+0x8b/0xd10 > ? __kthread_parkme+0xd9/0x1d0 > ? process_one_work+0x13e0/0x13e0 > kthread+0x379/0x450 > ? _raw_spin_unlock_irq+0x24/0x30 > ? set_kthread_struct+0x100/0x100 > ret_from_fork+0x1f/0x30 > Modules linked in: 88XXau(O) 88x2bu(O) > ---[ end trace 41d302138f3ff55a ]--- > RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 > Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 > RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 > RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 > RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 > RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 > R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 > R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 > FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Kernel panic - not syncing: Fatal exception > > Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr> > Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr> > Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr> > Reviewed-by: Arend van Spriel <aspriel@gmail.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Dokyung Song <dokyung.song@gmail.com> Patch applied to wireless.git, thanks. 6788ba8aed4e wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c index bc3f4e4edcdf..dac7eb77799b 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c @@ -228,6 +228,10 @@ static void brcmf_fweh_event_worker(struct work_struct *work) brcmf_fweh_event_name(event->code), event->code, event->emsg.ifidx, event->emsg.bsscfgidx, event->emsg.addr); + if (event->emsg.bsscfgidx >= BRCMF_MAX_IFS) { + bphy_err(drvr, "invalid bsscfg index: %u\n", event->emsg.bsscfgidx); + goto event_free; + } /* convert event message */ emsg_be = &event->emsg;