From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Dokyung Song <dokyungs@yonsei.ac.kr>,
Jisoo Jang <jisoo.jang@yonsei.ac.kr>,
Minsuk Kang <linuxlovemin@yonsei.ac.kr>,
Arend van Spriel <aspriel@gmail.com>,
Dokyung Song <dokyung.song@gmail.com>,
Kalle Valo <kvalo@kernel.org>
Subject: [PATCH 4.19 48/48] wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
Date: Tue, 8 Nov 2022 14:39:33 +0100 [thread overview]
Message-ID: <20221108133331.321367213@linuxfoundation.org> (raw)
In-Reply-To: <20221108133329.533809494@linuxfoundation.org>
From: Dokyung Song <dokyung.song@gmail.com>
commit 6788ba8aed4e28e90f72d68a9d794e34eac17295 upstream.
This patch fixes an intra-object buffer overflow in brcmfmac that occurs
when the device provides a 'bsscfgidx' equal to or greater than the
buffer size. The patch adds a check that leads to a safe failure if that
is the case.
This fixes CVE-2022-3628.
UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 52 is out of range for type 'brcmf_if *[16]'
CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: events brcmf_fweh_event_worker
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_out_of_bounds+0x69/0x80
? memcpy+0x39/0x60
brcmf_fweh_event_worker+0xae1/0xc00
? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? process_one_work+0x13e0/0x13e0
kthread+0x379/0x450
? _raw_spin_unlock_irq+0x24/0x30
? set_kthread_struct+0x100/0x100
ret_from_fork+0x1f/0x30
================================================================================
general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN
KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff]
CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: events brcmf_fweh_event_worker
RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
brcmf_fweh_event_worker+0x117/0xc00
? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? process_one_work+0x13e0/0x13e0
kthread+0x379/0x450
? _raw_spin_unlock_irq+0x24/0x30
? set_kthread_struct+0x100/0x100
ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 41d302138f3ff55a ]---
RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Arend van Spriel <aspriel@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221021061359.GA550858@laguna
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -237,6 +237,10 @@ static void brcmf_fweh_event_worker(stru
brcmf_fweh_event_name(event->code), event->code,
event->emsg.ifidx, event->emsg.bsscfgidx,
event->emsg.addr);
+ if (event->emsg.bsscfgidx >= BRCMF_MAX_IFS) {
+ brcmf_err("invalid bsscfg index: %u\n", event->emsg.bsscfgidx);
+ goto event_free;
+ }
/* convert event message */
emsg_be = &event->emsg;
next prev parent reply other threads:[~2022-11-08 13:47 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 13:38 [PATCH 4.19 00/48] 4.19.265-rc1 review Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 01/48] NFSv4.1: Handle RECLAIM_COMPLETE trunking errors Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 02/48] NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 03/48] nfs4: Fix kmemleak when allocate slot failed Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 04/48] net: dsa: Fix possible memory leaks in dsa_loop_init() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 05/48] RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 06/48] nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 07/48] nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 08/48] net: fec: fix improper use of NETDEV_TX_BUSY Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 09/48] ata: pata_legacy: fix pdc20230_set_piomode() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 10/48] net: sched: Fix use after free in red_enqueue() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 11/48] net: tun: fix bugs for oversize packet when napi frags enabled Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 12/48] ipvs: use explicitly signed chars Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 13/48] ipvs: fix WARNING in __ip_vs_cleanup_batch() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.19 14/48] ipvs: fix WARNING in ip_vs_app_net_cleanup() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 15/48] rose: Fix NULL pointer dereference in rose_send_frame() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 16/48] mISDN: fix possible memory leak in mISDN_register_device() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 17/48] isdn: mISDN: netjet: fix wrong check of device registration Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 18/48] btrfs: fix inode list leak during backref walking at resolve_indirect_refs() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 19/48] btrfs: fix ulist leaks in error paths of qgroup self tests Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 20/48] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 21/48] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 22/48] net: mdio: fix undefined behavior in bit shift for __mdiobus_register Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 23/48] net, neigh: Fix null-ptr-deref in neigh_table_clear() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 24/48] ipv6: fix WARNING in ip6_route_net_exit_late() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 25/48] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 26/48] media: cros-ec-cec: " Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 27/48] media: dvb-frontends/drxk: initialize err to 0 Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 28/48] HID: saitek: add madcatz variant of MMO7 mouse device ID Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 29/48] i2c: xiic: Add platform module alias Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 30/48] Bluetooth: L2CAP: Fix attempting to access uninitialized memory Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 31/48] block, bfq: protect bfqd->queued by bfqd->lock Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 32/48] btrfs: fix type of parameter generation in btrfs_get_dentry Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 33/48] tcp/udp: Make early_demux back namespacified Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 34/48] kprobe: reverse kp->flags when arm_kprobe failed Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 35/48] tracing/histogram: Update document for KEYS_MAX size Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 36/48] capabilities: fix potential memleak on error path from vfs_getxattr_alloc() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 37/48] ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 38/48] efi: random: reduce seed size to 32 bytes Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 39/48] parisc: Make 8250_gsc driver dependend on CONFIG_PARISC Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 40/48] parisc: Export iosapic_serial_irq() symbol for serial port driver Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 41/48] parisc: Avoid printing the hardware path twice Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 42/48] ext4: fix warning in ext4_da_release_space Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 43/48] KVM: x86: Mask off reserved bits in CPUID.80000008H Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 44/48] KVM: x86: emulator: em_sysexit should update ctxt->mode Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 45/48] KVM: x86: emulator: introduce emulator_recalc_and_set_mode Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 46/48] KVM: x86: emulator: update the emulation mode after CR0 write Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.19 47/48] linux/bits.h: make BIT(), GENMASK(), and friends available in assembly Greg Kroah-Hartman
2022-11-08 13:39 ` Greg Kroah-Hartman [this message]
2022-11-08 15:13 ` [PATCH 4.19 00/48] 4.19.265-rc1 review Pavel Machek
2022-11-09 2:57 ` Guenter Roeck
2022-11-09 13:19 ` Naresh Kamboju
2022-11-10 1:57 ` Shuah Khan
2022-11-10 10:48 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221108133331.321367213@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aspriel@gmail.com \
--cc=dokyung.song@gmail.com \
--cc=dokyungs@yonsei.ac.kr \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=kvalo@kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox