Re: [PATCH v2] wifi: brcmfmac: Fix potential slab-out-of-bounds read in brcmf_inform_single_bss()

[Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx>]

On December 22, 2022 4:55:31 PM Kalle Valo <kvalo@xxxxxxxxxx> wrote:

> Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> wrote:
>
> > This patch fixes a slab-out-of-bounds read in brcmfmac that occurs in
> > cfg80211_find_elem_match() called from brcmf_inform_single_bss() when
> > the offset and length values of information elements provided by the
> > device exceed the boundary of the escan buffer that contains information
> > elements. The patch adds a check that makes the function return -EINVAL
> > if that is the case. Note that the negative return is handled by the
> > caller, brcmf_inform_bss().
> >
> > Found by a modified version of syzkaller.
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in cfg80211_find_elem_match+0x164/0x180
> > Read of size 1 at addr ffff888018f0fde9 by task kworker/0:2/1896
> >
> > CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #139
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
> > rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> > Workqueue: events brcmf_fweh_event_worker
> > Call Trace:
> > dump_stack_lvl+0x8e/0xd1
> > print_address_description.constprop.0.cold+0x93/0x334
> > ? cfg80211_find_elem_match+0x164/0x180
> > kasan_report.cold+0x79/0xd5
> > ? cfg80211_find_elem_match+0x164/0x180
> > cfg80211_find_elem_match+0x164/0x180
> > cfg80211_get_bss_channel+0x69/0x320
> > cfg80211_inform_single_bss_data+0x1a6/0x1060
> > ? cfg80211_bss_update+0x1e20/0x1e20
> > ? rcu_read_lock_sched_held+0xa1/0xd0
> > ? rcu_read_lock_bh_held+0xb0/0xb0
> > ? find_held_lock+0x2d/0x110
> > ? cfg80211_inform_bss_data+0xcb/0x160
> > cfg80211_inform_bss_data+0xcb/0x160
> > ? cfg80211_parse_mbssid_data+0x1540/0x1540
> > ? kvm_clock_get_cycles+0x14/0x20
> > ? ktime_get_with_offset+0x2b9/0x450
> > brcmf_inform_single_bss+0x36d/0x4d0
> > ? brcmf_notify_mic_status+0xb0/0xb0
> > ? __lock_acquire+0x181f/0x5790
> > ? brcmf_p2p_cancel_remain_on_channel+0x30/0x30
> > brcmf_inform_bss+0x131/0x210
> > brcmf_cfg80211_escan_handler+0x779/0xd20
> > ? rcu_read_lock_bh_held+0xb0/0xb0
> > ? lock_acquire+0x19d/0x4e0
> > ? find_held_lock+0x2d/0x110
> > ? brcmf_cfg80211_escan_timeout_worker+0x60/0x60
> > ? brcmf_fweh_event_worker+0x249/0xc00
> > ? mark_held_locks+0x9f/0xe0
> > ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
> > ? brcmf_cfg80211_escan_timeout_worker+0x60/0x60
> > brcmf_fweh_call_event_handler.isra.0+0x90/0x100
> > brcmf_fweh_event_worker+0x117/0xc00
> > ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
> > ? rcu_read_lock_sched_held+0xa1/0xd0
> > ? rcu_read_lock_bh_held+0xb0/0xb0
> > ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> > process_one_work+0x92b/0x1460
> > ? pwq_dec_nr_in_flight+0x330/0x330
> > ? rwlock_bug.part.0+0x90/0x90
> > worker_thread+0x95/0xe00
> > ? __kthread_parkme+0x115/0x1e0
> > ? process_one_work+0x1460/0x1460
> > kthread+0x3a1/0x480
> > ? set_kthread_struct+0x120/0x120
> > ret_from_fork+0x1f/0x30
> >
> > The buggy address belongs to the page:
> > page:ffffea000063c000 refcount:1 mapcount:0 mapping:0000000000000000 
> > index:0x0 pfn:0x18f00
> > head:ffffea000063c000 order:4 compound_mapcount:0 compound_pincount:0
> > flags: 0x100000000010000(head|node=0|zone=1)
> > raw: 0100000000010000 0000000000000000 dead000000000122 0000000000000000
> > raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> > page_owner tracks the page as allocated
> > page last allocated via order 4, migratetype Unmovable, gfp_mask 
> > 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 1896, ts 44510886600, free_ts 0
> > prep_new_page+0x1aa/0x240
> > get_page_from_freelist+0x159a/0x27c0
> > __alloc_pages+0x2da/0x6a0
> > alloc_pages+0xec/0x1e0
> > kmalloc_order+0x39/0xf0
> > kmalloc_order_trace+0x19/0x120
> > brcmf_cfg80211_attach+0x5c9/0x3fd0
> > brcmf_attach+0x389/0xd40
> > brcmf_usb_probe+0x12de/0x1690
> > usb_probe_interface+0x2aa/0x760
> > really_probe+0x205/0xb70
> > __driver_probe_device+0x311/0x4b0
> > driver_probe_device+0x4e/0x150
> > __device_attach_driver+0x1cc/0x2a0
> > bus_for_each_drv+0x156/0x1d0
> > __device_attach+0x23f/0x3a0
> > page_owner free stack trace missing
> >
> > Memory state around the buggy address:
> > ffff888018f0fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff888018f0fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > ffff888018f0fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe
> >                                                  ^
> > ffff888018f0fe00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> > ffff888018f0fe80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> > ==================================================================
> >
> > Reported-by: Dokyung Song <dokyungs@xxxxxxxxxxxx>
> > Reported-by: Jisoo Jang <jisoo.jang@xxxxxxxxxxxx>
> > Reported-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
> > Reported-by: kernel test robot <lkp@xxxxxxxxx>
> > Signed-off-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
>
> Can someone review this?

Will have to see the bigger picture. Probably have time to do that later 
today. What's the deadline? ;-)

Regards,
Arend

> --
> https://patchwork.kernel.org/project/linux-wireless/patch/20221116145821.544266-1-linuxlovemin@xxxxxxxxxxxx/
>
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature