Zekun Shen <bruceshenzk@xxxxxxxxx> wrote: > rsi_get_* functions rely on an offset variable from usb > input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), > while 2-byte offset can be up to 0xFFFF. Thus a large offset > can cause out-of-bounds read. > > The patch adds a bound checking condition when rcv_pkt_len is 0, > indicating it's USB. It's unclear whether this is triggerable > from other type of bus. The following check might help in that case. > offset > rcv_pkt_len - FRAME_DESC_SZ > > The bug is trigerrable with conpromised/malfunctioning USB devices. > I tested the patch with the crashing input and got no more bug report. > > Attached is the KASAN report from fuzzing. > > BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] > Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 > > CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 > Call Trace: > dump_stack+0x76/0xa0 > print_address_description.constprop.0+0x16/0x200 > ? rsi_read_pkt+0x42e/0x500 [rsi_91x] > ? rsi_read_pkt+0x42e/0x500 [rsi_91x] > __kasan_report.cold+0x37/0x7c > ? rsi_read_pkt+0x42e/0x500 [rsi_91x] > kasan_report+0xe/0x20 > rsi_read_pkt+0x42e/0x500 [rsi_91x] > rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] > ? rsi_probe+0x16a0/0x16a0 [rsi_usb] > ? _raw_spin_lock_irqsave+0x7b/0xd0 > ? _raw_spin_trylock_bh+0x120/0x120 > ? __wake_up_common+0x10b/0x520 > ? rsi_probe+0x16a0/0x16a0 [rsi_usb] > kthread+0x2b5/0x3b0 > ? kthread_create_on_node+0xd0/0xd0 > ret_from_fork+0x22/0x40 > > Reported-by: Brendan Dolan-Gavitt <brendandg@xxxxxxx> > Signed-off-by: Zekun Shen <bruceshenzk@xxxxxxxxx> Patch applied to wireless-drivers-next.git, thanks. f1cb3476e48b rsi: Fix out-of-bounds read in rsi_read_pkt() -- https://patchwork.kernel.org/project/linux-wireless/patch/YXxXS4wgu2OsmlVv@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches