rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu
		
			
				
	
	
		
			86 lines
		
	
	
		
			2.4 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			86 lines
		
	
	
		
			2.4 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * @section LICENSE
 | |
|  * Copyright (c) 2014 Redpine Signals Inc.
 | |
|  *
 | |
|  * Permission to use, copy, modify, and/or distribute this software for any
 | |
|  * purpose with or without fee is hereby granted, provided that the above
 | |
|  * copyright notice and this permission notice appear in all copies.
 | |
|  *
 | |
|  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 | |
|  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 | |
|  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 | |
|  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 | |
|  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 | |
|  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 | |
|  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 | |
|  */
 | |
| 
 | |
| #ifndef __RSI_USB_INTF__
 | |
| #define __RSI_USB_INTF__
 | |
| 
 | |
| #include <linux/usb.h>
 | |
| #include "rsi_main.h"
 | |
| #include "rsi_common.h"
 | |
| 
 | |
| #define RSI_USB_VENDOR_ID	0x1618
 | |
| #define RSI_USB_PID_9113	0x9113
 | |
| #define RSI_USB_PID_9116	0x9116
 | |
| 
 | |
| #define USB_INTERNAL_REG_1           0x25000
 | |
| #define RSI_USB_READY_MAGIC_NUM      0xab
 | |
| #define FW_STATUS_REG                0x41050012
 | |
| #define RSI_TA_HOLD_REG              0x22000844
 | |
| #define RSI_FW_WDT_DISABLE_REQ	     0x69
 | |
| 
 | |
| #define USB_VENDOR_REGISTER_READ     0x15
 | |
| #define USB_VENDOR_REGISTER_WRITE    0x16
 | |
| #define RSI_USB_TX_HEAD_ROOM         128
 | |
| 
 | |
| #define MAX_RX_URBS                  2
 | |
| #define MAX_BULK_EP                  8
 | |
| #define WLAN_EP                      1
 | |
| #define BT_EP                        2
 | |
| 
 | |
| #define RSI_USB_BUF_SIZE	     4096
 | |
| #define RSI_USB_CTRL_BUF_SIZE	     0x04
 | |
| 
 | |
| #define RSI_MAX_RX_USB_PKT_SIZE	3000
 | |
| 
 | |
| struct rx_usb_ctrl_block {
 | |
| 	u8 *data;
 | |
| 	struct urb *rx_urb;
 | |
| 	struct sk_buff *rx_skb;
 | |
| 	u8 ep_num;
 | |
| };
 | |
| 
 | |
| struct rsi_91x_usbdev {
 | |
| 	void *priv;
 | |
| 	struct rsi_thread rx_thread;
 | |
| 	u8 endpoint;
 | |
| 	struct usb_device *usbdev;
 | |
| 	struct usb_interface *pfunction;
 | |
| 	struct rx_usb_ctrl_block rx_cb[MAX_RX_URBS];
 | |
| 	u8 *tx_buffer;
 | |
| 	__le16 bulkin_size[MAX_BULK_EP];
 | |
| 	u8 bulkin_endpoint_addr[MAX_BULK_EP];
 | |
| 	__le16 bulkout_size[MAX_BULK_EP];
 | |
| 	u8 bulkout_endpoint_addr[MAX_BULK_EP];
 | |
| 	u32 tx_blk_size;
 | |
| 	u8 write_fail;
 | |
| 	struct sk_buff_head rx_q;
 | |
| };
 | |
| 
 | |
| static inline int rsi_usb_check_queue_status(struct rsi_hw *adapter, u8 q_num)
 | |
| {
 | |
| 	/* In USB, there isn't any need to check the queue status */
 | |
| 	return QUEUE_NOT_FULL;
 | |
| }
 | |
| 
 | |
| static inline int rsi_usb_event_timeout(struct rsi_hw *adapter)
 | |
| {
 | |
| 	return EVENT_WAIT_FOREVER;
 | |
| }
 | |
| 
 | |
| void rsi_usb_rx_thread(struct rsi_common *common);
 | |
| #endif
 |