ACK: [SRU][Bionic][PATCH 1/1] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

Krzysztof Kozlowski krzysztof.kozlowski at canonical.com
Tue Feb 22 11:27:39 UTC 2022


On 18/02/2022 18:50, Bartlomiej Zolnierkiewicz wrote:
> From: Zekun Shen <bruceshenzk at gmail.com>
> 
> This bug report shows up when running our research tools. The
> reports is SOOB read, but it seems SOOB write is also possible
> a few lines below.
> 
> In details, fw.len and sw.len are inputs coming from io. A len
> over the size of self->rpc triggers SOOB. The patch fixes the
> bugs by adding sanity checks.
> 
> The bugs are triggerable with compromised/malfunctioning devices.
> They are potentially exploitable given they first leak up to
> 0xffff bytes and able to overwrite the region later.
> 
> The patch is tested with QEMU emulater.
> This is NOT tested with a real device.
> 
> Attached is the log we found by fuzzing.
> 
> BUG: KASAN: slab-out-of-bounds in
> 	hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
> Read of size 4 at addr ffff888016260b08 by task modprobe/213
> CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
> Call Trace:
>  dump_stack+0x76/0xa0
>  print_address_description.constprop.0+0x16/0x200
>  ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
>  ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
>  __kasan_report.cold+0x37/0x7c
>  ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
>  ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
>  kasan_report+0xe/0x20
>  hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
>  hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
>  hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
>  hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
>  ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
>  ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
>  hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
>  aq_nic_ndev_register+0x88/0x650 [atlantic]
>  ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
>  aq_pci_probe+0x731/0x9b0 [atlantic]
>  ? aq_pci_func_init+0xc0/0xc0 [atlantic]
>  local_pci_probe+0xd3/0x160
>  pci_device_probe+0x23f/0x3e0
> 
> Reported-by: Brendan Dolan-Gavitt <brendandg at nyu.edu>
> Signed-off-by: Zekun Shen <bruceshenzk at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit b922f622592af76b57cbc566eaeccda0b31a3496)
> CVE-2021-43975
> Signed-off-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz at canonical.com>
> ---
>  .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c   | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 


Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski at canonical.com>


Best regards,
Krzysztof



More information about the kernel-team mailing list