From nobody Wed Apr 24 12:17:03 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B1D9C7618E for ; Sat, 18 Mar 2023 09:26:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229737AbjCRJ0L (ORCPT ); Sat, 18 Mar 2023 05:26:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229478AbjCRJ0J (ORCPT ); Sat, 18 Mar 2023 05:26:09 -0400 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAD496A64; Sat, 18 Mar 2023 02:26:07 -0700 (PDT) Received: by mail-ed1-x529.google.com with SMTP id eg48so28896677edb.13; Sat, 18 Mar 2023 02:26:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679131566; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tdMMiIkP0lyseh6vtywDFhyO8m69k1VlrdTiLhNzm4U=; b=VwDy5bfT7RmUhazDHzWYdV+oe6pMKzPF8C/D9UCvA66JK7CixE20HRw1+eh5KgRsh0 ICUei7A5QkE93D+YpqxU38Qkus2iU9DMA+lC2jRjm9ftnzeEXn+ZGtZRCsaJwyfZwlFk AZl5CEl99kMlhv0ozBg87AxlEWhk0oEmAILTX2q+j0WiVuSmfLl48u44YJy/6I65tkFD z272e72TsR7b89WYuTJGB8u1AqLaqF2WWaRA0PWmrxGEb7efy9ummgYl0qerc7BImpwL C6o6uGZRCM+UjEyhk5L+v5/ZX5D/UY52CivT78QoWWWTtixZ/3bvDQVzcuFQA6yX0skK /qbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679131566; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tdMMiIkP0lyseh6vtywDFhyO8m69k1VlrdTiLhNzm4U=; b=B+moqCC1yEZl8Hhbkx0tDLSyuup5fnJ5Y8nw+SPTURfqrNE+LYwFCUpk5tzR+KyJvq dOcknyQkMjKFE5ntQ7IPnrYYQAHw8vr036qMsoetT9CcMdRz7A6gQegtfwR4SqIAadMS Oau5cJJrER+WlFVsSaAzywAryn2bSix9MwZKt4IB3IO17hz7Oyy8aWnItDaVbcOIXb0I XTKUjkM1Vpl3ALBfxh2rbLkARBQnO7fYupyR8+ZT1wm1E5q0pj3oKUQfXCFzqoK97IMq BBAF0czZZESLYiOOjNjPf79Fukp0WMjxC3yfRnGqWMkfTYbblft0byqBw7s05pZpJNiF EaTQ== X-Gm-Message-State: AO0yUKWwZZiOW8HIgx2xcpM15QgEOt6/B5AvgWgCFfWu1gOXifLYUqWv 7NmkGuZ7jg0+9rDPylacteRwcsk0x/pzxA== X-Google-Smtp-Source: AK7set+OjN2BAFW2aH/J5J5bydqcNtmjtkMCKLQFry6lNKvTeygQSbzluQYu68Mx6AlMm+W5BE5tvQ== X-Received: by 2002:a17:906:4909:b0:925:a734:a012 with SMTP id b9-20020a170906490900b00925a734a012mr2107913ejq.12.1679131566295; Sat, 18 Mar 2023 02:26:06 -0700 (PDT) Received: from localhost.localdomain (077222238142.warszawa.vectranet.pl. [77.222.238.142]) by smtp.googlemail.com with ESMTPSA id la18-20020a170907781200b00914001c91fcsm1953000ejc.86.2023.03.18.02.26.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Mar 2023 02:26:05 -0700 (PDT) From: Szymon Heidrich To: woojung.huh@microchip.com, UNGLinuxDriver@microchip.com, kuba@kernel.org, davem@davemloft.net, edumazet@google.com Cc: pabeni@redhat.com, szymon.heidrich@gmail.com, linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] net: usb: lan78xx: Limit packet length to skb->len Date: Sat, 18 Mar 2023 10:25:52 +0100 Message-Id: <20230318092552.93145-1-szymon.heidrich@gmail.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Packet length retrieved from descriptor may be larger than the actual socket buffer length. In such case the cloned skb passed up the network stack will leak kernel memory contents. Additionally prevent integer underflow when size is less than ETH_FCS_LEN. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Eth= ernet device driver") Signed-off-by: Szymon Heidrich --- V1 -> V2: Fix ISO C90 forbids mixed declarations and code V2 -> V3: Removed the Reported-by tag drivers/net/usb/lan78xx.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 068488890..c458c030f 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -3579,13 +3579,29 @@ static int lan78xx_rx(struct lan78xx_net *dev, stru= ct sk_buff *skb, size =3D (rx_cmd_a & RX_CMD_A_LEN_MASK_); align_count =3D (4 - ((size + RXW_PADDING) % 4)) % 4; =20 + if (unlikely(size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=3D0x%08x\n", + rx_cmd_a); + return 0; + } + if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) { netif_dbg(dev, rx_err, dev->net, "Error rx_cmd_a=3D0x%08x", rx_cmd_a); } else { - u32 frame_len =3D size - ETH_FCS_LEN; + u32 frame_len; struct sk_buff *skb2; =20 + if (unlikely(size < ETH_FCS_LEN)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=3D0x%08x\n", + rx_cmd_a); + return 0; + } + + frame_len =3D size - ETH_FCS_LEN; + skb2 =3D napi_alloc_skb(&dev->napi, frame_len); if (!skb2) return 0; --=20 2.40.0