* [PATCH stable 4.9,4.14,4.19] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
@ 2022-02-14 11:32 Jann Horn
2022-02-17 18:42 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2022-02-14 11:32 UTC (permalink / raw)
To: stable; +Cc: gregkh, Jann Horn, stable
commit 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 upstream.
ax88179_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:
- The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,
causing OOB reads and (on big-endian systems) OOB endianness flips.
- A packet can overlap the metadata array, causing a later OOB
endianness flip to corrupt data used by a cloned SKB that has already
been handed off into the network stack.
- A packet SKB can be constructed whose tail is far beyond its end,
causing out-of-bounds heap data to be considered part of the SKB's
data.
I have tested that this can be used by a malicious USB device to send a
bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response
that contains random kernel heap data.
It's probably also possible to get OOB writes from this on a
little-endian system somehow - maybe by triggering skb_cow() via IP
options processing -, but I haven't tested that.
Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
drivers/net/usb/ax88179_178a.c | 68 +++++++++++++++++++---------------
1 file changed, 39 insertions(+), 29 deletions(-)
diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
index b2434b479846..684eec0aa0d6 100644
--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -1373,59 +1373,69 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
u16 hdr_off;
u32 *pkt_hdr;
- /* This check is no longer done by usbnet */
- if (skb->len < dev->net->hard_header_len)
+ /* At the end of the SKB, there's a header telling us how many packets
+ * are bundled into this buffer and where we can find an array of
+ * per-packet metadata (which contains elements encoded into u16).
+ */
+ if (skb->len < 4)
return 0;
-
skb_trim(skb, skb->len - 4);
memcpy(&rx_hdr, skb_tail_pointer(skb), 4);
le32_to_cpus(&rx_hdr);
-
pkt_cnt = (u16)rx_hdr;
hdr_off = (u16)(rx_hdr >> 16);
+
+ if (pkt_cnt == 0)
+ return 0;
+
+ /* Make sure that the bounds of the metadata array are inside the SKB
+ * (and in front of the counter at the end).
+ */
+ if (pkt_cnt * 2 + hdr_off > skb->len)
+ return 0;
pkt_hdr = (u32 *)(skb->data + hdr_off);
- while (pkt_cnt--) {
+ /* Packets must not overlap the metadata array */
+ skb_trim(skb, hdr_off);
+
+ for (; ; pkt_cnt--, pkt_hdr++) {
u16 pkt_len;
le32_to_cpus(pkt_hdr);
pkt_len = (*pkt_hdr >> 16) & 0x1fff;
- /* Check CRC or runt packet */
- if ((*pkt_hdr & AX_RXHDR_CRC_ERR) ||
- (*pkt_hdr & AX_RXHDR_DROP_ERR)) {
- skb_pull(skb, (pkt_len + 7) & 0xFFF8);
- pkt_hdr++;
- continue;
- }
-
- if (pkt_cnt == 0) {
- skb->len = pkt_len;
- /* Skip IP alignment pseudo header */
- skb_pull(skb, 2);
- skb_set_tail_pointer(skb, skb->len);
- skb->truesize = pkt_len + sizeof(struct sk_buff);
- ax88179_rx_checksum(skb, pkt_hdr);
- return 1;
- }
+ if (pkt_len > skb->len)
+ return 0;
- ax_skb = skb_clone(skb, GFP_ATOMIC);
- if (ax_skb) {
+ /* Check CRC or runt packet */
+ if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) == 0) &&
+ pkt_len >= 2 + ETH_HLEN) {
+ bool last = (pkt_cnt == 0);
+
+ if (last) {
+ ax_skb = skb;
+ } else {
+ ax_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!ax_skb)
+ return 0;
+ }
ax_skb->len = pkt_len;
/* Skip IP alignment pseudo header */
skb_pull(ax_skb, 2);
skb_set_tail_pointer(ax_skb, ax_skb->len);
ax_skb->truesize = pkt_len + sizeof(struct sk_buff);
ax88179_rx_checksum(ax_skb, pkt_hdr);
+
+ if (last)
+ return 1;
+
usbnet_skb_return(dev, ax_skb);
- } else {
- return 0;
}
- skb_pull(skb, (pkt_len + 7) & 0xFFF8);
- pkt_hdr++;
+ /* Trim this packet away from the SKB */
+ if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8))
+ return 0;
}
- return 1;
}
static struct sk_buff *
base-commit: 6b09c9f0e648f3b91449afb6a308488f3af414c1
--
2.35.1.265.g69c8d7142f-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH stable 4.9,4.14,4.19] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
2022-02-14 11:32 [PATCH stable 4.9,4.14,4.19] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Jann Horn
@ 2022-02-17 18:42 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2022-02-17 18:42 UTC (permalink / raw)
To: Jann Horn; +Cc: stable, stable
On Mon, Feb 14, 2022 at 12:32:42PM +0100, Jann Horn wrote:
> commit 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 upstream.
>
> ax88179_rx_fixup() contains several out-of-bounds accesses that can be
> triggered by a malicious (or defective) USB device, in particular:
>
> - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,
> causing OOB reads and (on big-endian systems) OOB endianness flips.
> - A packet can overlap the metadata array, causing a later OOB
> endianness flip to corrupt data used by a cloned SKB that has already
> been handed off into the network stack.
> - A packet SKB can be constructed whose tail is far beyond its end,
> causing out-of-bounds heap data to be considered part of the SKB's
> data.
>
> I have tested that this can be used by a malicious USB device to send a
> bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response
> that contains random kernel heap data.
> It's probably also possible to get OOB writes from this on a
> little-endian system somehow - maybe by triggering skb_cow() via IP
> options processing -, but I haven't tested that.
>
> Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
> Cc: stable@kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
> drivers/net/usb/ax88179_178a.c | 68 +++++++++++++++++++---------------
> 1 file changed, 39 insertions(+), 29 deletions(-)
Now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-17 18:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-14 11:32 [PATCH stable 4.9,4.14,4.19] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Jann Horn
2022-02-17 18:42 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).