linux/drivers/net/usb
Marcin Kozlowski afb8e24652 net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
aqc111_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:

 - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,
   causing OOB reads and (on big-endian systems) OOB endianness flips.
 - A packet can overlap the metadata array, causing a later OOB
   endianness flip to corrupt data used by a cloned SKB that has already
   been handed off into the network stack.
 - A packet SKB can be constructed whose tail is far beyond its end,
   causing out-of-bounds heap data to be considered part of the SKB's
   data.

Found doing variant analysis. Tested it with another driver (ax88179_178a), since
I don't have a aqc111 device to test it, but the code looks very similar.

Signed-off-by: Marcin Kozlowski <marcinguy@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-04-06 15:22:49 +01:00
..
aqc111.c net: usb: aqc111: Fix out-of-bounds accesses in RX fixup 2022-04-06 15:22:49 +01:00
aqc111.h
asix_common.c net: asix: remove code duplicates in asix_mdio_read/write and asix_mdio_read/write_nopm 2022-02-24 21:21:30 -08:00
asix_devices.c net: usb: asix: suspend embedded PHY if external is used 2022-03-12 11:50:56 +00:00
asix.h net: usb: asix: suspend embedded PHY if external is used 2022-03-12 11:50:56 +00:00
ax88172a.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
ax88179_178a.c net: usb: ax88179_178a: add Allied Telesis AT-UMCs 2022-03-24 18:32:14 -07:00
catc.c usbb: catc: use correct API for MAC addresses 2021-10-25 15:34:02 +01:00
cdc_eem.c net: cdc_eem: fix tx fixup skb leak 2021-06-17 11:30:25 -07:00
cdc_ether.c USB: zaurus: support another broken Zaurus 2022-02-14 14:37:15 +00:00
cdc_mbim.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-02-17 11:44:20 -08:00
cdc_ncm.c CDC-NCM: avoid overflow in sanity checking 2022-02-15 14:56:10 +00:00
cdc_subset.c
cdc-phonet.c net: remove single-byte netdev->dev_addr writes 2021-10-13 10:03:59 -07:00
ch9200.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
cx82310_eth.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
dm9601.c ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
gl620a.c usbnet: gl620a: Replace one-element array with flexible-array member 2022-02-22 17:00:54 -08:00
hso.c net: hso: Use GFP_KERNEL instead of GFP_ATOMIC when possible 2022-02-15 14:34:29 +00:00
huawei_cdc_ncm.c usb: class: cdc-wdm: WWAN framework integration 2021-05-11 16:17:56 -07:00
int51x1.c net: usb: Fix spelling mistakes 2021-06-01 17:05:05 -07:00
ipheth.c ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback 2022-02-01 20:25:38 -08:00
kalmia.c net: usb: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
kaweth.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
Kconfig net: usb: smsc95xx: add generic selftest support 2022-02-09 13:28:22 +00:00
lan78xx.c net: usb: lan78xx: Use generic_handle_irq_safe(). 2022-03-02 22:28:50 +01:00
lan78xx.h
lg-vl600.c net: usb: Fix spelling mistakes 2021-06-01 17:05:05 -07:00
Makefile
mcs7830.c net: mcs7830: handle usb read errors properly 2022-01-09 16:35:50 -08:00
net1080.c
pegasus.c net: usb: pegasus: Do not drop long Ethernet frames 2021-12-27 14:52:06 +00:00
pegasus.h
plusb.c
qmi_wwan.c net: usb: qmi_wwan: Add support for Dell DW5829e 2022-02-09 17:13:52 -08:00
r8152.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
r8153_ecm.c r8153_ecm: Add Lenovo Powered USB-C Hub as a fallback of r8152 2021-01-12 20:00:51 -08:00
rndis_host.c rndis_host: support Hytera digital radios 2022-01-02 16:12:45 +00:00
rtl8150.c net: usb: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
sierra_net.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
smsc75xx.c usb: smsc: use eth_hw_addr_set() 2021-10-22 10:15:56 -07:00
smsc75xx.h
smsc95xx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-10 17:16:56 -08:00
smsc95xx.h
sr9700.c sr9700: sanity check for packet length 2022-02-18 11:05:08 +00:00
sr9700.h
sr9800.c net: usb: don't write directly to netdev->dev_addr 2021-10-22 10:16:01 -07:00
sr9800.h
usbnet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
zaurus.c USB: zaurus: support another broken Zaurus 2022-02-14 14:37:15 +00:00