From: Kalle Valo <kvalo@codeaurora.org>
To: Zekun Shen <bruceshenzk@gmail.com>
Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
Siva Rebbagondla <siva8118@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, brendandg@nyu.edu
Subject: Re: [PATCH] rsi_usb: Fix out-of-bounds read in rsi_read_pkt
Date: Mon, 01 Nov 2021 16:07:37 +0200 [thread overview]
Message-ID: <87tugw0y1i.fsf@codeaurora.org> (raw)
In-Reply-To: <YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu> (Zekun Shen's message of "Fri, 29 Oct 2021 16:19:23 -0400")
Zekun Shen <bruceshenzk@gmail.com> writes:
> rsi_get_* functions rely on an offset variable from usb
> input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000),
> while 2-byte offset can be up to 0xFFFF. Thus a large offset
> can cause out-of-bounds read.
>
> The patch adds a bound checking condition when rcv_pkt_len is 0,
> indicating it's USB. It's unclear whether this is triggerable
> from other type of bus. The following check might help in that case.
> offset > rcv_pkt_len - FRAME_DESC_SZ
>
> The bug is trigerrable with conpromised/malfunctioning USB devices.
> I tested the patch with the crashing input and got no more bug report.
>
> Attached is the KASAN report from fuzzing.
>
> BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x]
> Read of size 2 at addr ffff888019439fdb by task RX-Thread/227
>
> CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66
> Call Trace:
> dump_stack+0x76/0xa0
> print_address_description.constprop.0+0x16/0x200
> ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
> ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
> __kasan_report.cold+0x37/0x7c
> ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
> kasan_report+0xe/0x20
> rsi_read_pkt+0x42e/0x500 [rsi_91x]
> rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb]
> ? rsi_probe+0x16a0/0x16a0 [rsi_usb]
> ? _raw_spin_lock_irqsave+0x7b/0xd0
> ? _raw_spin_trylock_bh+0x120/0x120
> ? __wake_up_common+0x10b/0x520
> ? rsi_probe+0x16a0/0x16a0 [rsi_usb]
> kthread+0x2b5/0x3b0
> ? kthread_create_on_node+0xd0/0xd0
> ret_from_fork+0x22/0x40
>
> Reported-by: Zekun Shen <bruceshenzk@gmail.com>
You are the author, no need to have your name in Reported-by.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2021-11-01 14:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-29 20:19 [PATCH] rsi_usb: Fix out-of-bounds read in rsi_read_pkt Zekun Shen
2021-11-01 14:07 ` Kalle Valo [this message]
2021-11-29 10:44 ` rsi: Fix out-of-bounds read in rsi_read_pkt() Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tugw0y1i.fsf@codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=amitkarwar@gmail.com \
--cc=brendandg@nyu.edu \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=siva8118@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.