From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CFD8C4332F for ; Sat, 24 Dec 2022 01:40:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237004AbiLXBkm (ORCPT ); Fri, 23 Dec 2022 20:40:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236664AbiLXBjn (ORCPT ); Fri, 23 Dec 2022 20:39:43 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 346C953EF0; Fri, 23 Dec 2022 17:33:06 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 1E1FBCE1D05; Sat, 24 Dec 2022 01:32:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10CE7C433D2; Sat, 24 Dec 2022 01:32:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1671845562; bh=S5MPGFOs8CQGz7DP6f7RiUIyLU+Iohmst9KrpGtTkRI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LE9KS6c6oV8iIwY70QKwernCa1bBsCFxm3lfcD3IsHldirtJFXpzpRLDOhxXCzz+L l4jm4Xg3iS+quv1QiSMTcKwcJEDEW1XymyJL+L9RcrySS+tj6D6NDoEyb0eJNumHcF DnEHo6IpnVVohTsj9RWcKjLIfrA1g5UnTawcUprlXRysY9XWg7Q9fLpYuxG8F97I+f XSlxQvvP6/RSMXsSVaXCm6oy4UwkNu7vBkl8rm1FTOH0/+xUBwlfQUeHlv3SPyqi3U X1DVjKt4f2lrDEtmhdMH/oF5uCUJxrDNrT/l18TS3zkyDYSb5SugdE5rNATDJsnObM 8uJcYvlZXOQbA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Henry Tian , Lei YU , Neal Liu , Benjamin Herrenschmidt , Greg Kroah-Hartman , Sasha Levin , joel@jms.id.au, jakobkoschel@gmail.com, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org Subject: [PATCH AUTOSEL 5.4 2/7] usb: gadget: aspeed: fix buffer overflow Date: Fri, 23 Dec 2022 20:32:28 -0500 Message-Id: <20221224013233.393537-2-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221224013233.393537-1-sashal@kernel.org> References: <20221224013233.393537-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Henry Tian [ Upstream commit 83045e19feae937c425248824d1dc0fc95583842 ] In ast_vhub_epn_handle_ack() when the received data length exceeds the buffer, it does not check the case and just copies to req.buf and cause a buffer overflow, kernel oops on this case. This issue could be reproduced on a BMC with an OS that enables the lan over USB: 1. In OS, enable the usb eth dev, verify it pings the BMC OK; 2. In OS, set the usb dev mtu to 2000. (Default is 1500); 3. In OS, ping the BMC with `-s 2000` argument. The BMC kernel will get oops with below logs: skbuff: skb_over_panic: text:8058e098 len:2048 put:2048 head:84c678a0 data:84c678c2 tail:0x84c680c2 end:0x84c67f00 dev:usb0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! Internal error: Oops - BUG: 0 [#1] ARM CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.69-c9fb275-dirty-d1e579a #1 Hardware name: Generic DT based system PC is at skb_panic+0x60/0x6c LR is at irq_work_queue+0x6c/0x94 Fix the issue by checking the length and set `-EOVERFLOW`. Tested: Verify the BMC kernel does not get oops in the above case, and the usb ethernet gets RX packets errors instead. Signed-off-by: Lei YU Signed-off-by: Henry Tian Reviewed-by: Neal Liu Acked-by: Benjamin Herrenschmidt Link: https://lore.kernel.org/r/20221024094853.2877441-1-yulei.sh@bytedance.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/aspeed-vhub/core.c | 2 +- drivers/usb/gadget/udc/aspeed-vhub/epn.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/udc/aspeed-vhub/core.c b/drivers/usb/gadget/udc/aspeed-vhub/core.c index c1bfbfd9491d..0812967e1d5a 100644 --- a/drivers/usb/gadget/udc/aspeed-vhub/core.c +++ b/drivers/usb/gadget/udc/aspeed-vhub/core.c @@ -42,7 +42,7 @@ void ast_vhub_done(struct ast_vhub_ep *ep, struct ast_vhub_req *req, list_del_init(&req->queue); - if (req->req.status == -EINPROGRESS) + if ((req->req.status == -EINPROGRESS) || (status == -EOVERFLOW)) req->req.status = status; if (req->req.dma) { diff --git a/drivers/usb/gadget/udc/aspeed-vhub/epn.c b/drivers/usb/gadget/udc/aspeed-vhub/epn.c index 2cd406e8dd99..90d1279eca64 100644 --- a/drivers/usb/gadget/udc/aspeed-vhub/epn.c +++ b/drivers/usb/gadget/udc/aspeed-vhub/epn.c @@ -89,6 +89,7 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) { struct ast_vhub_req *req; unsigned int len; + int status = 0; u32 stat; /* Read EP status */ @@ -124,9 +125,15 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) len = VHUB_EP_DMA_TX_SIZE(stat); /* If not using DMA, copy data out if needed */ - if (!req->req.dma && !ep->epn.is_in && len) - memcpy(req->req.buf + req->req.actual, ep->buf, len); - + if (!req->req.dma && !ep->epn.is_in && len) { + if (req->req.actual + len > req->req.length) { + req->last_desc = 1; + status = -EOVERFLOW; + goto done; + } else { + memcpy(req->req.buf + req->req.actual, ep->buf, len); + } + } /* Adjust size */ req->req.actual += len; @@ -134,9 +141,10 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) if (len < ep->ep.maxpacket) req->last_desc = 1; +done: /* That's it ? complete the request and pick a new one */ if (req->last_desc >= 0) { - ast_vhub_done(ep, req, 0); + ast_vhub_done(ep, req, status); req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req, queue); -- 2.35.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5E0ACC4167B for ; Sat, 24 Dec 2022 08:20:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=W/7KgnXi7lWGwXwbMg2XJx4m8SKD5v3cu5Yrw6DCzec=; b=zDfCwAsL7o+0Rm 7Kr2HID+QNZG3PFS1FADgi/Ujlyz/Y4i3lXPjGGBSy5JgOodEdQVKfgXERa9S0MItnLrKGfKL0irF qlkl0ByQjCWk8zj0fi5r0Q5NNgIDbLDWUZw+ZDNwem82hBJq0lgpnv6aW3Vjk5IzDsWPVVXL20vh0 rNpYHAaWZIRzdUAtPgWDUCSwGnpgFsyIXm3S1bcxS+aImWdbumfeLdV6FqhFCDlUNFLpqMTSy+z3H NeTbHnDyeh5+W8NVXSbrHu8by0GSzxFaFYTDUYDI5Eupk/X1WybpGosJkPW4ZNR9jp4AQDCX+Kdr3 t4mQoQKin/jQaNgWv2Lw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1p8zkr-00GNPC-5x; Sat, 24 Dec 2022 08:19:41 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1p8tP1-00DMwe-EH for linux-arm-kernel@lists.infradead.org; Sat, 24 Dec 2022 01:32:45 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id EE2F861FAD; Sat, 24 Dec 2022 01:32:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10CE7C433D2; Sat, 24 Dec 2022 01:32:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1671845562; bh=S5MPGFOs8CQGz7DP6f7RiUIyLU+Iohmst9KrpGtTkRI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LE9KS6c6oV8iIwY70QKwernCa1bBsCFxm3lfcD3IsHldirtJFXpzpRLDOhxXCzz+L l4jm4Xg3iS+quv1QiSMTcKwcJEDEW1XymyJL+L9RcrySS+tj6D6NDoEyb0eJNumHcF DnEHo6IpnVVohTsj9RWcKjLIfrA1g5UnTawcUprlXRysY9XWg7Q9fLpYuxG8F97I+f XSlxQvvP6/RSMXsSVaXCm6oy4UwkNu7vBkl8rm1FTOH0/+xUBwlfQUeHlv3SPyqi3U X1DVjKt4f2lrDEtmhdMH/oF5uCUJxrDNrT/l18TS3zkyDYSb5SugdE5rNATDJsnObM 8uJcYvlZXOQbA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Henry Tian , Lei YU , Neal Liu , Benjamin Herrenschmidt , Greg Kroah-Hartman , Sasha Levin , joel@jms.id.au, jakobkoschel@gmail.com, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org Subject: [PATCH AUTOSEL 5.4 2/7] usb: gadget: aspeed: fix buffer overflow Date: Fri, 23 Dec 2022 20:32:28 -0500 Message-Id: <20221224013233.393537-2-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221224013233.393537-1-sashal@kernel.org> References: <20221224013233.393537-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221223_173243_583866_6051DB6D X-CRM114-Status: GOOD ( 22.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Henry Tian [ Upstream commit 83045e19feae937c425248824d1dc0fc95583842 ] In ast_vhub_epn_handle_ack() when the received data length exceeds the buffer, it does not check the case and just copies to req.buf and cause a buffer overflow, kernel oops on this case. This issue could be reproduced on a BMC with an OS that enables the lan over USB: 1. In OS, enable the usb eth dev, verify it pings the BMC OK; 2. In OS, set the usb dev mtu to 2000. (Default is 1500); 3. In OS, ping the BMC with `-s 2000` argument. The BMC kernel will get oops with below logs: skbuff: skb_over_panic: text:8058e098 len:2048 put:2048 head:84c678a0 data:84c678c2 tail:0x84c680c2 end:0x84c67f00 dev:usb0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! Internal error: Oops - BUG: 0 [#1] ARM CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.69-c9fb275-dirty-d1e579a #1 Hardware name: Generic DT based system PC is at skb_panic+0x60/0x6c LR is at irq_work_queue+0x6c/0x94 Fix the issue by checking the length and set `-EOVERFLOW`. Tested: Verify the BMC kernel does not get oops in the above case, and the usb ethernet gets RX packets errors instead. Signed-off-by: Lei YU Signed-off-by: Henry Tian Reviewed-by: Neal Liu Acked-by: Benjamin Herrenschmidt Link: https://lore.kernel.org/r/20221024094853.2877441-1-yulei.sh@bytedance.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/aspeed-vhub/core.c | 2 +- drivers/usb/gadget/udc/aspeed-vhub/epn.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/udc/aspeed-vhub/core.c b/drivers/usb/gadget/udc/aspeed-vhub/core.c index c1bfbfd9491d..0812967e1d5a 100644 --- a/drivers/usb/gadget/udc/aspeed-vhub/core.c +++ b/drivers/usb/gadget/udc/aspeed-vhub/core.c @@ -42,7 +42,7 @@ void ast_vhub_done(struct ast_vhub_ep *ep, struct ast_vhub_req *req, list_del_init(&req->queue); - if (req->req.status == -EINPROGRESS) + if ((req->req.status == -EINPROGRESS) || (status == -EOVERFLOW)) req->req.status = status; if (req->req.dma) { diff --git a/drivers/usb/gadget/udc/aspeed-vhub/epn.c b/drivers/usb/gadget/udc/aspeed-vhub/epn.c index 2cd406e8dd99..90d1279eca64 100644 --- a/drivers/usb/gadget/udc/aspeed-vhub/epn.c +++ b/drivers/usb/gadget/udc/aspeed-vhub/epn.c @@ -89,6 +89,7 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) { struct ast_vhub_req *req; unsigned int len; + int status = 0; u32 stat; /* Read EP status */ @@ -124,9 +125,15 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) len = VHUB_EP_DMA_TX_SIZE(stat); /* If not using DMA, copy data out if needed */ - if (!req->req.dma && !ep->epn.is_in && len) - memcpy(req->req.buf + req->req.actual, ep->buf, len); - + if (!req->req.dma && !ep->epn.is_in && len) { + if (req->req.actual + len > req->req.length) { + req->last_desc = 1; + status = -EOVERFLOW; + goto done; + } else { + memcpy(req->req.buf + req->req.actual, ep->buf, len); + } + } /* Adjust size */ req->req.actual += len; @@ -134,9 +141,10 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep) if (len < ep->ep.maxpacket) req->last_desc = 1; +done: /* That's it ? complete the request and pick a new one */ if (req->last_desc >= 0) { - ast_vhub_done(ep, req, 0); + ast_vhub_done(ep, req, status); req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req, queue); -- 2.35.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel