cve/published/2022/CVE-2022-49740.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49740: wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

 This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
 brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
 value of channel specifications provided by the device is greater than
 the length of 'list->element[]', decided by the size of the 'list'
 allocated with kzalloc(). The patch adds checks that make the functions
 free the buffer and return -EINVAL if that is the case. Note that the
 negative return is handled by the caller, brcmf_setup_wiphybands() or
 brcmf_cfg80211_attach().

 Found by a modified version of syzkaller.

 Crash Report from brcmf_construct_chaninfo():
 ==================================================================
 BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896

 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
 Workqueue: usb_hub_wq hub_event
 Call Trace:
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0.cold+0x93/0x334
  kasan_report.cold+0x83/0xdf
  brcmf_setup_wiphybands+0x1238/0x1430
  brcmf_cfg80211_attach+0x2118/0x3fd0
  brcmf_attach+0x389/0xd40
  brcmf_usb_probe+0x12de/0x1690
  usb_probe_interface+0x25f/0x710
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_set_configuration+0x984/0x1770
  usb_generic_driver_probe+0x69/0x90
  usb_probe_device+0x9c/0x220
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_new_device.cold+0x463/0xf66
  hub_event+0x10d5/0x3330
  process_one_work+0x873/0x13e0
  worker_thread+0x8b/0xd10
  kthread+0x379/0x450
  ret_from_fork+0x1f/0x30

 Allocated by task 1896:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7c/0x90
  kmem_cache_alloc_trace+0x19e/0x330
  brcmf_setup_wiphybands+0x290/0x1430
  brcmf_cfg80211_attach+0x2118/0x3fd0
  brcmf_attach+0x389/0xd40
  brcmf_usb_probe+0x12de/0x1690
  usb_probe_interface+0x25f/0x710
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_set_configuration+0x984/0x1770
  usb_generic_driver_probe+0x69/0x90
  usb_probe_device+0x9c/0x220
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_new_device.cold+0x463/0xf66
  hub_event+0x10d5/0x3330
  process_one_work+0x873/0x13e0
  worker_thread+0x8b/0xd10
  kthread+0x379/0x450
  ret_from_fork+0x1f/0x30

 The buggy address belongs to the object at ffff888115f24000
  which belongs to the cache kmalloc-2k of size 2048
 The buggy address is located 1536 bytes inside of
  2048-byte region [ffff888115f24000, ffff888115f24800)

 Memory state around the buggy address:
  ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ==================================================================

 Crash Report from brcmf_enable_bw40_2g():
 ==================================================================
 BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
 Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896

 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
 Workqueue: usb_hub_wq hub_event
 Call Trace:
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0.cold+0x93/0x334
  kasan_report.cold+0x83/0xdf
  brcmf_cfg80211_attach+0x3d11/0x3fd0
  brcmf_attach+0x389/0xd40
  brcmf_usb_probe+0x12de/0x1690
  usb_probe_interface+0x25f/0x710
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_set_configuration+0x984/0x1770
  usb_generic_driver_probe+0x69/0x90
  usb_probe_device+0x9c/0x220
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_new_device.cold+0x463/0xf66
  hub_event+0x10d5/0x3330
  process_one_work+0x873/0x13e0
  worker_thread+0x8b/0xd10
  kthread+0x379/0x450
  ret_from_fork+0x1f/0x30

 Allocated by task 1896:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7c/0x90
  kmem_cache_alloc_trace+0x19e/0x330
  brcmf_cfg80211_attach+0x3302/0x3fd0
  brcmf_attach+0x389/0xd40
  brcmf_usb_probe+0x12de/0x1690
  usb_probe_interface+0x25f/0x710
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_set_configuration+0x984/0x1770
  usb_generic_driver_probe+0x69/0x90
  usb_probe_device+0x9c/0x220
  really_probe+0x1be/0xa90
  __driver_probe_device+0x2ab/0x460
  driver_probe_device+0x49/0x120
  __device_attach_driver+0x18a/0x250
  bus_for_each_drv+0x123/0x1a0
  __device_attach+0x207/0x330
  bus_probe_device+0x1a2/0x260
  device_add+0xa61/0x1ce0
  usb_new_device.cold+0x463/0xf66
  hub_event+0x10d5/0x3330
  process_one_work+0x873/0x13e0
  worker_thread+0x8b/0xd10
  kthread+0x379/0x450
  ret_from_fork+0x1f/0x30

 The buggy address belongs to the object at ffff888103787000
  which belongs to the cache kmalloc-2k of size 2048
 The buggy address is located 1536 bytes inside of
  2048-byte region [ffff888103787000, ffff888103787800)

 Memory state around the buggy address:
  ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ==================================================================

 The Linux kernel CVE team has assigned CVE-2022-49740 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.232 with commit 9cf5e99c1ae1a85286a76c9a970202750538394c
 	Fixed in 5.10.168 with commit b2e412879595821ff1b5545cbed5f108fba7f5b6
 	Fixed in 5.15.93 with commit e4991910f15013db72f6ec0db7038ea67a57052e
 	Fixed in 6.1.11 with commit f06de1bb6d61f0c18b0213bbc6298960037f9d42
 	Fixed in 6.2 with commit 4920ab131b2dbae7464b72bdcac465d070254209

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49740
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c
 	https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6
 	https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e
 	https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42
 	https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49740: wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

	This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
	brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
	value of channel specifications provided by the device is greater than
	the length of 'list->element[]', decided by the size of the 'list'
	allocated with kzalloc(). The patch adds checks that make the functions
	free the buffer and return -EINVAL if that is the case. Note that the
	negative return is handled by the caller, brcmf_setup_wiphybands() or
	brcmf_cfg80211_attach().

	Found by a modified version of syzkaller.

	Crash Report from brcmf_construct_chaninfo():
	==================================================================
	BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
	Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896

	CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	dump_stack_lvl+0x57/0x7d
	print_address_description.constprop.0.cold+0x93/0x334
	kasan_report.cold+0x83/0xdf
	brcmf_setup_wiphybands+0x1238/0x1430
	brcmf_cfg80211_attach+0x2118/0x3fd0
	brcmf_attach+0x389/0xd40
	brcmf_usb_probe+0x12de/0x1690
	usb_probe_interface+0x25f/0x710
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_set_configuration+0x984/0x1770
	usb_generic_driver_probe+0x69/0x90
	usb_probe_device+0x9c/0x220
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_new_device.cold+0x463/0xf66
	hub_event+0x10d5/0x3330
	process_one_work+0x873/0x13e0
	worker_thread+0x8b/0xd10
	kthread+0x379/0x450
	ret_from_fork+0x1f/0x30

	Allocated by task 1896:
	kasan_save_stack+0x1b/0x40
	__kasan_kmalloc+0x7c/0x90
	kmem_cache_alloc_trace+0x19e/0x330
	brcmf_setup_wiphybands+0x290/0x1430
	brcmf_cfg80211_attach+0x2118/0x3fd0
	brcmf_attach+0x389/0xd40
	brcmf_usb_probe+0x12de/0x1690
	usb_probe_interface+0x25f/0x710
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_set_configuration+0x984/0x1770
	usb_generic_driver_probe+0x69/0x90
	usb_probe_device+0x9c/0x220
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_new_device.cold+0x463/0xf66
	hub_event+0x10d5/0x3330
	process_one_work+0x873/0x13e0
	worker_thread+0x8b/0xd10
	kthread+0x379/0x450
	ret_from_fork+0x1f/0x30

	The buggy address belongs to the object at ffff888115f24000
	which belongs to the cache kmalloc-2k of size 2048
	The buggy address is located 1536 bytes inside of
	2048-byte region [ffff888115f24000, ffff888115f24800)

	Memory state around the buggy address:
	ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	^
	ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	==================================================================

	Crash Report from brcmf_enable_bw40_2g():
	==================================================================
	BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
	Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896

	CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	dump_stack_lvl+0x57/0x7d
	print_address_description.constprop.0.cold+0x93/0x334
	kasan_report.cold+0x83/0xdf
	brcmf_cfg80211_attach+0x3d11/0x3fd0
	brcmf_attach+0x389/0xd40
	brcmf_usb_probe+0x12de/0x1690
	usb_probe_interface+0x25f/0x710
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_set_configuration+0x984/0x1770
	usb_generic_driver_probe+0x69/0x90
	usb_probe_device+0x9c/0x220
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_new_device.cold+0x463/0xf66
	hub_event+0x10d5/0x3330
	process_one_work+0x873/0x13e0
	worker_thread+0x8b/0xd10
	kthread+0x379/0x450
	ret_from_fork+0x1f/0x30

	Allocated by task 1896:
	kasan_save_stack+0x1b/0x40
	__kasan_kmalloc+0x7c/0x90
	kmem_cache_alloc_trace+0x19e/0x330
	brcmf_cfg80211_attach+0x3302/0x3fd0
	brcmf_attach+0x389/0xd40
	brcmf_usb_probe+0x12de/0x1690
	usb_probe_interface+0x25f/0x710
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_set_configuration+0x984/0x1770
	usb_generic_driver_probe+0x69/0x90
	usb_probe_device+0x9c/0x220
	really_probe+0x1be/0xa90
	__driver_probe_device+0x2ab/0x460
	driver_probe_device+0x49/0x120
	__device_attach_driver+0x18a/0x250
	bus_for_each_drv+0x123/0x1a0
	__device_attach+0x207/0x330
	bus_probe_device+0x1a2/0x260
	device_add+0xa61/0x1ce0
	usb_new_device.cold+0x463/0xf66
	hub_event+0x10d5/0x3330
	process_one_work+0x873/0x13e0
	worker_thread+0x8b/0xd10
	kthread+0x379/0x450
	ret_from_fork+0x1f/0x30

	The buggy address belongs to the object at ffff888103787000
	which belongs to the cache kmalloc-2k of size 2048
	The buggy address is located 1536 bytes inside of
	2048-byte region [ffff888103787000, ffff888103787800)

	Memory state around the buggy address:
	ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	^
	ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	==================================================================

	The Linux kernel CVE team has assigned CVE-2022-49740 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.232 with commit 9cf5e99c1ae1a85286a76c9a970202750538394c
	Fixed in 5.10.168 with commit b2e412879595821ff1b5545cbed5f108fba7f5b6
	Fixed in 5.15.93 with commit e4991910f15013db72f6ec0db7038ea67a57052e
	Fixed in 6.1.11 with commit f06de1bb6d61f0c18b0213bbc6298960037f9d42
	Fixed in 6.2 with commit 4920ab131b2dbae7464b72bdcac465d070254209

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49740
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c
	https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6
	https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e
	https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42
	https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209