Re: [PATCH] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

[Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>]

On 3/9/2023 2:44 AM, Jisoo Jang wrote:
> Fix a slab-out-of-bounds read that occurs in kmemdup() called from
> brcmf_get_assoc_ies().
> The bug could occur when assoc_info->req_len, data from a URB provided
> by a USB device, is bigger than the size of buffer which is defined as
> WL_EXTRA_BUF_MAX.
>
> Add the size check for req_len/resp_len of assoc_info.
>
> Found by a modified version of syzkaller.
>
> [   46.592467][    T7] ==================================================================
> [   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50
> [   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7

[...]

> [   46.673620][    T7] Memory state around the buggy address:
> [   46.674213][    T7]  ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   46.675083][    T7]  ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   46.675994][    T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   46.676875][    T7]                    ^
> [   46.677323][    T7]  ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   46.678190][    T7]  ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   46.679052][    T7] ==================================================================
> [   46.679945][    T7] Disabling lock debugging due to kernel taint
> [   46.680725][    T7] Kernel panic - not syncing:

Reviewed-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
> Signed-off-by: Jisoo Jang <jisoo.jang@xxxxxxxxxxxx>
> ---
>   .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c   | 8 ++++++++
>   1 file changed, 8 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index a9690ec4c850..13e590b41b01 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -6165,6 +6165,10 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
>   	req_len = le32_to_cpu(assoc_info->req_len);
>   	resp_len = le32_to_cpu(assoc_info->resp_len);

better do validation of both values here and bail out:

	if ((req_len > WL_EXTRA_BUF_MAX) || (resp_len > WL_EXTRA_BUF_MAX)) {
		bphy_err(drvr, "invalid lengths in assoc info: req %u resp %u\n", 
req_len, resp_len);
		return -EINVAL;
	}

>   	if (req_len) {
> +		if (req_len > WL_EXTRA_BUF_MAX) {
> +			bphy_err(drvr, "assoc req_len %d-byte is larger than buffer\n", req_len);
> +			return -EINVAL;
> +		}
>   		err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies",
>   					       cfg->extra_buf,
>   					       WL_ASSOC_INFO_MAX);

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature