ACK: [SRU][Bionic][PATCH 1/1] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Krzysztof Kozlowski
krzysztof.kozlowski at canonical.com
Tue Feb 22 11:27:39 UTC 2022
On 18/02/2022 18:50, Bartlomiej Zolnierkiewicz wrote:
> From: Zekun Shen <bruceshenzk at gmail.com>
>
> This bug report shows up when running our research tools. The
> reports is SOOB read, but it seems SOOB write is also possible
> a few lines below.
>
> In details, fw.len and sw.len are inputs coming from io. A len
> over the size of self->rpc triggers SOOB. The patch fixes the
> bugs by adding sanity checks.
>
> The bugs are triggerable with compromised/malfunctioning devices.
> They are potentially exploitable given they first leak up to
> 0xffff bytes and able to overwrite the region later.
>
> The patch is tested with QEMU emulater.
> This is NOT tested with a real device.
>
> Attached is the log we found by fuzzing.
>
> BUG: KASAN: slab-out-of-bounds in
> hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> Read of size 4 at addr ffff888016260b08 by task modprobe/213
> CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
> Call Trace:
> dump_stack+0x76/0xa0
> print_address_description.constprop.0+0x16/0x200
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> __kasan_report.cold+0x37/0x7c
> ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
> ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> kasan_report+0xe/0x20
> hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
> hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
> hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
> ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
> ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
> hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
> aq_nic_ndev_register+0x88/0x650 [atlantic]
> ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
> aq_pci_probe+0x731/0x9b0 [atlantic]
> ? aq_pci_func_init+0xc0/0xc0 [atlantic]
> local_pci_probe+0xd3/0x160
> pci_device_probe+0x23f/0x3e0
>
> Reported-by: Brendan Dolan-Gavitt <brendandg at nyu.edu>
> Signed-off-by: Zekun Shen <bruceshenzk at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit b922f622592af76b57cbc566eaeccda0b31a3496)
> CVE-2021-43975
> Signed-off-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz at canonical.com>
> ---
> .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski at canonical.com>
Best regards,
Krzysztof
More information about the kernel-team
mailing list