From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 8F00EC4332F
	for <u-boot@archiver.kernel.org>; Fri,  9 Dec 2022 01:57:05 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id C29F08517A;
	Fri,  9 Dec 2022 02:57:02 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=denx.de
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de;
	s=phobos-20191101; t=1670551023;
	bh=xQsqG55YJ2mhgQsL9b440Hy2DyHtABf9l67VqhGrAUo=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From;
	b=ADZQxyRRHiGsfsgn4FzUhot2Xv/c8KrysH7tZjiGLzQ0ynuIqDX7PMgAAS8p61OFx
	 HFMkdWOu3xHvcM2VvPFZlUVVUV0ChU4liXlpXjUMxgAMNpoj1612Y2tc6x9wz44+S8
	 E68eWjmNi4ftlGtiM7QpTJXJnSmWi/rV28zUJb0FCFT/jsziQz6aOm4B1d0blhhJ7B
	 0ZeqgOyHkVC9GnRyyaou9qfGgpYeaR3eMqgLvhMumCCTG/RwE5/Lgwc0l/WcT4zGoL
	 SFxKdAVOukwgx3YdFlAjp22NaDnm1Y1lwBFNse1q0i5jIFAL4ElOZwwV98Zufp369b
	 mZSNFhidCCY7g==
Received: from [127.0.0.1] (p578adb1c.dip0.t-ipconnect.de [87.138.219.28])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: marex@denx.de)
 by phobos.denx.de (Postfix) with ESMTPSA id 55DC385177;
 Fri,  9 Dec 2022 02:57:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de;
 s=phobos-20191101; t=1670551020;
 bh=xQsqG55YJ2mhgQsL9b440Hy2DyHtABf9l67VqhGrAUo=;
 h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
 b=pch0GeznJ6yfDuPX9Ij3btriaOtYRXsjTLddJw7jHpL7CGr02ScMnifSyxj+vNr6a
 coZxybhjXFoRk3Qmex9G0fdQ41wetu/cyH8yPcOJUBmNNQLITbjpg0NBhf+M0d+Guz
 h3eaYoCgjllP5crisY6izmBBlolmObrOK+gKYkvIAarqkj7rgVcXwfCUm1fCbgUJik
 b0FzFT6bD6TxdU10DN5j8b3MZAjkWvvu7PRe559pUHgC3xjy/tLqmNlBCz/Ga8Ff9S
 BgsrJE3/71Oq/UztYdCDUE5oS4rJtX8bCfAri+Fqh+HB82rGUKYyeSVOESBxqeqwB4
 GTZjkqVgSPKuw==
Message-ID: <43bcabe9-eb46-9099-eec9-2e846f2c3ddf@denx.de>
Date: Fri, 9 Dec 2022 02:56:59 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.5.1
Subject: Re: [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset
 manipulation
Content-Language: en-US
To: Szymon Heidrich <szymon.heidrich@gmail.com>, festevam@gmail.com,
 lukma@denx.de
Cc: u-boot@lists.denx.de
References: <58ee51c7-a318-7002-11eb-27aa79614e71@denx.de>
 <20221205092823.41742-1-szymon.heidrich@gmail.com>
From: Marek Vasut <marex@denx.de>
In-Reply-To: <20221205092823.41742-1-szymon.heidrich@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

On 12/5/22 10:28, Szymon Heidrich wrote:
> Prevent access to arbitrary memory locations in gen_ndis_set_resp
> via manipulation of buf->InformationBufferOffset. Original
> implementation permits manipulation of InformationBufferOffset to
> exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
> within a 32byte offset as the devices packet filter. The packet filter
> value may be next retrieved using gen_ndis_query_resp so it is possible
> to extract specific memory regions two bytes a time.
> 
> The rndis_query_response was not modified as neither the buffer offset
> nor length passed to gen_ndis_query_resp is used.
> 
> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
> ---
> V1 -> V2: Updated commit message
> 
>   drivers/usb/gadget/rndis.c | 9 ++++++---
>   1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
> index 13c327ea38..3948f2cc9a 100644
> --- a/drivers/usb/gadget/rndis.c
> +++ b/drivers/usb/gadget/rndis.c
> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>   	rndis_set_cmplt_type	*resp;
>   	rndis_resp_t		*r;
>   
> +	BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> +	BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> +	if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
> +	    (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
> +		return -EINVAL;
> +
>   	r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>   	if (!r)
>   		return -ENOMEM;
>   	resp = (rndis_set_cmplt_type *) r->buf;
>   
> -	BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> -	BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> -
>   #ifdef	VERBOSE
>   	debug("%s: Length: %d\n", __func__, BufLength);
>   	debug("%s: Offset: %d\n", __func__, BufOffset);

Applied to usb/master, thanks