korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-15 10:24:44 +08:00
Code Issues Packages Projects Releases Wiki Activity
706b6d86a6
linux/drivers
History
Minsuk Kang e4991910f1 wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads 
commit 4920ab131b upstream.

This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
value of channel specifications provided by the device is greater than
the length of 'list->element[]', decided by the size of the 'list'
allocated with kzalloc(). The patch adds checks that make the functions
free the buffer and return -EINVAL if that is the case. Note that the
negative return is handled by the caller, brcmf_setup_wiphybands() or
brcmf_cfg80211_attach().

Found by a modified version of syzkaller.

Crash Report from brcmf_construct_chaninfo():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896

CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 dump_stack_lvl+0x57/0x7d
 print_address_description.constprop.0.cold+0x93/0x334
 kasan_report.cold+0x83/0xdf
 brcmf_setup_wiphybands+0x1238/0x1430
 brcmf_cfg80211_attach+0x2118/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

Allocated by task 1896:
 kasan_save_stack+0x1b/0x40
 __kasan_kmalloc+0x7c/0x90
 kmem_cache_alloc_trace+0x19e/0x330
 brcmf_setup_wiphybands+0x290/0x1430
 brcmf_cfg80211_attach+0x2118/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff888115f24000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
 2048-byte region [ffff888115f24000, ffff888115f24800)

Memory state around the buggy address:
 ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crash Report from brcmf_enable_bw40_2g():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896

CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 dump_stack_lvl+0x57/0x7d
 print_address_description.constprop.0.cold+0x93/0x334
 kasan_report.cold+0x83/0xdf
 brcmf_cfg80211_attach+0x3d11/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

Allocated by task 1896:
 kasan_save_stack+0x1b/0x40
 __kasan_kmalloc+0x7c/0x90
 kmem_cache_alloc_trace+0x19e/0x330
 brcmf_cfg80211_attach+0x3302/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff888103787000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
 2048-byte region [ffff888103787000, ffff888103787800)

Memory state around the buggy address:
 ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221116142952.518241-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-09 11:26:48 +01:00
..
accessibility tty: fix possible null-ptr-defer in spk_ttyio_release 2023-01-24 07:22:46 +01:00
acpi ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel systems 2023-02-06 07:59:01 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-12-02 17:41:00 +01:00
ata ata: libata: Fix sata_down_spd_limit() when no link speed is reported 2023-02-09 11:26:37 +01:00
atm
auxdisplay
base driver core: Fix test_async_probe_init saves device in wrong array 2023-02-01 08:27:14 +01:00
bcma
block block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
bluetooth Bluetooth: hci_qca: Fix driver shutdown on closed serdev 2023-01-24 07:22:42 +01:00
bus bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() 2023-02-09 11:26:32 +01:00
cdrom
char ipmi: fix use after free in _ipmi_destroy_user() 2023-01-12 11:58:57 +01:00
clk clk: st: Fix memory leak in st_of_quadfs_setup() 2022-12-31 13:14:43 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2022-12-31 13:14:04 +01:00
comedi comedi: adv_pci1760: Fix PWM instruction handling 2023-01-24 07:22:45 +01:00
connector
counter counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update 2022-12-31 13:14:30 +01:00
cpufreq cpufreq: governor: Use kobject release() method to free dbs_data 2023-02-01 08:27:29 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2022-12-31 13:14:01 +01:00
crypto crypto: ccp - Add support for TEE for PCI ID 0x14CA 2023-01-12 11:58:58 +01:00
cxl
dax devdax: Fix soft-reservation memory description 2022-09-28 11:11:57 +02:00
dca
devfreq PM/devfreq: governor: Add a private governor_data for governor 2023-01-12 11:58:51 +01:00
dio drivers: dio: fix possible memory leak in dio_init() 2022-12-31 13:14:27 +01:00
dma dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init 2023-02-06 07:59:00 +01:00
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-12-02 17:41:06 +01:00
edac EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info 2023-02-01 08:27:25 +01:00
eisa
extcon extcon: usbc-tusb320: fix kernel-doc warning 2023-02-06 07:59:01 +01:00
firewire firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 2023-02-09 11:26:32 +01:00
firmware efi: Accept version 2 of memory attributes table 2023-02-09 11:26:41 +01:00
fpga fpga: stratix10-soc: Fix return value check in s10_ops_write_init() 2023-02-09 11:26:44 +01:00
fsi WRITE is "data source", not destination... 2023-02-09 11:26:34 +01:00
gnss
gpio gpio: mxc: Unlock on error path in mxc_flip_edge() 2023-02-01 08:27:28 +01:00
gpu drm/i915: Fix potential bit_17 double-free 2023-02-09 11:26:45 +01:00
greybus
hid HID: playstation: sanity check DualSense calibration data. 2023-02-06 07:59:00 +01:00
hsi HSI: omap_ssi_core: Fix error handling in ssi_init() 2022-12-31 13:14:32 +01:00
hv video: hyperv_fb: Avoid taking busy spinlock on panic path 2022-12-31 13:14:39 +01:00
hwmon hwmon: (jc42) Fix missing unlock on error in jc42_write() 2022-12-31 13:14:44 +01:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 09:58:13 +01:00
hwtracing coresight: trbe: remove cpuhp instance node before remove cpuhp state 2022-12-31 13:14:30 +01:00
i2c i2c: rk3x: fix a bunch of kernel-doc warnings 2023-02-09 11:26:39 +01:00
i3c
idle
iio iio:adc:twl6030: Enable measurement of VAC 2023-02-09 11:26:47 +01:00
infiniband READ is "data destination", not source... 2023-02-09 11:26:34 +01:00
input Input: i8042 - add Clevo PCX0DX to i8042 quirk table 2023-02-09 11:26:41 +01:00
interconnect
iommu iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() 2023-01-18 11:48:52 +01:00
ipack
irqchip irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init() 2022-12-31 13:14:03 +01:00
isdn mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() 2022-12-31 13:14:37 +01:00
leds leds: lm3601x: Don't use mutex after it was destroyed 2022-10-26 12:34:39 +02:00
macintosh macintosh/macio-adb: check the return value of ioremap() 2022-12-31 13:14:35 +01:00
mailbox mailbox: zynq-ipi: fix error handling while device_register() fails 2022-12-31 13:14:39 +01:00
mcb mcb: mcb-parse: fix error handing in chameleon_parse_gdd() 2022-12-31 13:14:30 +01:00
md block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
media media: s5p-mfc: Fix in register read and write for H264 2023-01-12 11:59:06 +01:00
memory memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() 2023-02-01 08:27:03 +01:00
memstick memstick/ms_block: Add check for alloc_ordered_workqueue 2022-12-31 13:14:17 +01:00
message
mfd mfd: mt6360: Add bounds checking in Regmap read/write call-backs 2023-01-12 11:58:47 +01:00
misc mei: me: add meteor lake point M DID 2023-01-24 07:22:47 +01:00
mmc mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting 2023-01-24 07:22:45 +01:00
most
mtd mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() 2023-01-12 11:58:57 +01:00
mux
net wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads 2023-02-09 11:26:48 +01:00
nfc nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() 2023-01-18 11:48:54 +01:00
ntb
nubus
nvdimm
nvme nvme: fix passthrough csi check 2023-02-01 08:27:28 +01:00
nvmem nvmem: core: fix cell removal on error 2023-02-09 11:26:45 +01:00
of of/kexec: Fix reading 32-bit "linux,initrd-{start,end}" values 2023-01-12 11:58:53 +01:00
opp
parisc parisc: led: Fix potential null-ptr-deref in start_task() 2023-01-12 11:58:59 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-26 09:24:36 +01:00
pci PCI/sysfs: Fix double free in error path 2023-01-12 11:58:58 +01:00
pcmcia
perf perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() 2022-12-31 13:13:58 +01:00
phy phy: qcom-qmp-combo: fix runtime suspend 2023-02-09 11:26:46 +01:00
pinctrl pinctrl: rockchip: fix mux route data for rk3568 2023-02-01 08:27:11 +01:00
platform platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF 2023-02-09 11:26:40 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2022-12-31 13:14:02 +01:00
power power: supply: fix null pointer dereferencing in power_supply_get_battery_info 2022-12-31 13:14:33 +01:00
powercap powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue 2022-10-26 12:35:30 +02:00
pps
ps3
ptp
pwm pwm: tegra: Fix 32 bit build 2022-12-31 13:14:48 +01:00
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2022-12-31 13:14:05 +01:00
ras
regulator regulator: da9211: Use irq handler when ready 2023-01-18 11:48:53 +01:00
remoteproc remoteproc: core: Do pm_relax when in RPROC_OFFLINE state 2023-01-12 11:58:59 +01:00
reset reset: uniphier-glue: Fix possible null-ptr-deref 2023-02-01 08:27:04 +01:00
rpmsg rpmsg: qcom: glink: replace strncpy() with strscpy_pad() 2022-10-12 09:53:28 +02:00
rtc rtc: ds1347: fix value written to century register 2023-01-12 11:58:56 +01:00
s390 block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
sbus
scsi scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress 2023-02-09 11:26:39 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-26 09:24:36 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-26 09:24:44 +01:00
soc PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() 2023-02-01 08:27:06 +01:00
soundwire ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire 2023-01-12 11:58:49 +01:00
spi spi: spidev: remove debug messages that access spidev->spi without locking 2023-02-01 08:27:18 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-26 12:35:19 +02:00
ssb
staging staging: mt7621-dts: change some node hex addresses to lower case 2023-01-24 07:22:46 +01:00
target scsi: target: core: Fix warning on RT kernels 2023-02-09 11:26:39 +01:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-12-02 17:41:03 +01:00
thermal thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() 2023-02-01 08:27:28 +01:00
thunderbolt thunderbolt: Use correct function to calculate maximum USB3 link rate 2023-01-24 07:22:46 +01:00
tty serial: 8250_dma: Fix DMA Rx rearm race 2023-02-09 11:26:46 +01:00
uio uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2022-12-31 13:14:27 +01:00
usb usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints 2023-02-09 11:26:44 +01:00
vdpa vduse: Validate vq_num in vduse_validate_config() 2023-01-24 07:22:41 +01:00
vfio vfio: platform: Do not pass return buffer to ACPI _RST method 2022-12-31 13:14:27 +01:00
vhost vhost/net: Clear the pending messages when the backend is removed 2023-02-09 11:26:34 +01:00
video fbdev: smscufx: fix error handling code in ufx_usb_probe 2023-02-09 11:26:47 +01:00
virt
virtio virtio_pci: modify ENOENT to EINVAL 2023-01-24 07:22:41 +01:00
visorbus
vlynq
vme vme: Fix error not catched in fake_init() 2022-12-31 13:14:30 +01:00
w1 w1: fix WARNING after calling w1_process() 2023-02-01 08:27:14 +01:00
watchdog watchdog: diag288_wdt: fix __diag288() inline assembly 2023-02-09 11:26:41 +01:00
xen fix "direction" argument of iov_iter_kvec() 2023-02-09 11:26:34 +01:00
zorro
Kconfig
Makefile