ACK: [SRU][Bionic][PATCH 1/1] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Stefan Bader
stefan.bader at canonical.com
Tue Feb 22 09:08:16 UTC 2022
On 18.02.22 18:50, Bartlomiej Zolnierkiewicz wrote:
> From: Zekun Shen <bruceshenzk at gmail.com>
>
> This bug report shows up when running our research tools. The
> reports is SOOB read, but it seems SOOB write is also possible
> a few lines below.
>
> In details, fw.len and sw.len are inputs coming from io. A len
> over the size of self->rpc triggers SOOB. The patch fixes the
> bugs by adding sanity checks.
>
> The bugs are triggerable with compromised/malfunctioning devices.
> They are potentially exploitable given they first leak up to
> 0xffff bytes and able to overwrite the region later.
>
> The patch is tested with QEMU emulater.
> This is NOT tested with a real device.
>
> Attached is the log we found by fuzzing.
>
> BUG: KASAN: slab-out-of-bounds in
> hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> Read of size 4 at addr ffff888016260b08 by task modprobe/213
> CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
> Call Trace:
> dump_stack+0x76/0xa0
> print_address_description.constprop.0+0x16/0x200
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> __kasan_report.cold+0x37/0x7c
> ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> kasan_report+0xe/0x20
> hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
> hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
> hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
> ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
> ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
> hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
> aq_nic_ndev_register+0x88/0x650 [atlantic]
> ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
> aq_pci_probe+0x731/0x9b0 [atlantic]
> ? aq_pci_func_init+0xc0/0xc0 [atlantic]
> local_pci_probe+0xd3/0x160
> pci_device_probe+0x23f/0x3e0
>
> Reported-by: Brendan Dolan-Gavitt <brendandg at nyu.edu>
> Signed-off-by: Zekun Shen <bruceshenzk at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit b922f622592af76b57cbc566eaeccda0b31a3496)
> CVE-2021-43975
> Signed-off-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
> index 2867a6a8e653..3beb816dcc49 100644
> --- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
> +++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
> @@ -458,6 +458,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
> goto err_exit;
>
> if (fw.len == 0xFFFFU) {
> + if (sw.len > sizeof(self->rpc)) {
> + printk(KERN_INFO "Invalid sw len: %x\n", sw.len);
> + err = -EINVAL;
> + goto err_exit;
> + }
> err = hw_atl_utils_fw_rpc_call(self, sw.len);
> if (err < 0)
> goto err_exit;
> @@ -468,6 +473,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
>
> if (rpc) {
> if (fw.len) {
> + if (fw.len > sizeof(self->rpc)) {
> + printk(KERN_INFO "Invalid fw len: %x\n", fw.len);
> + err = -EINVAL;
> + goto err_exit;
> + }
> err =
> hw_atl_utils_fw_downld_dwords(self,
> self->rpc_addr,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220222/446fc9bb/attachment-0001.sig>
More information about the kernel-team
mailing list