From nobody Thu May 29 13:09:52 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b7RYD6Qs5z5x0tb; Thu, 29 May 2025 13:09:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b7RYD4kvdz3fc9; Thu, 29 May 2025 13:09:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748524192; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0rSYSDii00HVFFgXvnlffxKQnMOWnDvQQhj+Mii02bw=; b=apm+vLAwz5uvLNTL+IwlZ/y+gBd/M3evgLp0RL65VO8GQZOe5vi5PszTiPyDC7gwEM4CjZ RfWbxLDUF8S8O5JzOeb4juvhElPJ8gXORt46Lez0qSfWBNrelPAj9gLNNmP2NsQgwAK2Xe e1MrZ+xVwmq+JVJyyWRer5VhKo7YCTWkXFwjrmHWNA5O0OxUKWuXvGlCNGLIQLhj/QpoEI Gvc/rPdhahe6OIWgAppdPgVjbqIinwnbNtYEgi7UoBu+HnGcISD2z36d3MBLJ//k/8poY/ rpZVyHSEavjoj1kfW0IuZdCSeYZEZXcEbRj1V4Xd1sID34OOPhQNQg3eVelvGA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1748524192; a=rsa-sha256; cv=none; b=aUHnH/uPMl3hdcP4249p/WKKP0lfVkFTNDWNtWXD+84bwp6RmdId6tXUuXVLwP0dV3PiGL XzxFSJ81NQ5mTJsZFn1dqX3ouSFGkXhjJScQcO8O0eTZf2f4TG1vElwmnH7f5gFxvd+dbo mNezu7uFPFyqEPS5WkXgLO6q5vKmm493i7yNHvaKW8Y8f8RY+JrPQ0Luo6N8Vs1P+6qk6j V+54kq9/HynxwcUHgHeb84i6NQBMoMmrM1HOqT/gw6m0NfSExtYW/VIvuBwD3KBzP1Y0ps 0LaNvfDQ7xvpTV/2nIHtneB3/l1aDY8yKintLus47GHOyuf+I0Y2Ar79Z8pFmw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748524192; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0rSYSDii00HVFFgXvnlffxKQnMOWnDvQQhj+Mii02bw=; b=WfLSQFBYE1uHAteSfx5oa+8AslN6fMRQD1NkE+05B7GEMmoGWcli7ax7UYhtF//iXDLkOD vFrLN5FuJLCB3lL86XFiSKgqDZizebxBQg61wPFPJDyt8cBeoEHk4OrbWvbhpMmEmjftRg X5hv+FSNfIW05UCO3ncH8W7CRdPUBpIe1mC5TzsFe/2DLBvQHWkEAEjga7RuEn8MO9JT64 OhReAowTv+dkQiA2GIZUrkMGPYa3MgQnWZDTsm0NpzymwHUgY3qOq9UM/XgaWRulSnWdPL 6C1ZbMy3GQGcBdE5Dbfpb7iMoKRTxbTVAht71TL2GfOQwWZYM3O1CQOr+Q2pmQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b7RYD3n2rz1MxJ; Thu, 29 May 2025 13:09:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54TD9q1e061634; Thu, 29 May 2025 13:09:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54TD9qi7061631; Thu, 29 May 2025 13:09:52 GMT (envelope-from git) Date: Thu, 29 May 2025 13:09:52 GMT Message-Id: <202505291309.54TD9qi7061631@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pierre Pronchery Subject: git: 152bb8e30204 - main - umb: avoid buffer overflow in umb_getinfobuf() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: khorben X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 152bb8e3020451963a3f2a8adf05f00a5222a4e5 Auto-Submitted: auto-generated The branch main has been updated by khorben: URL: https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5 commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5 Author: Pierre Pronchery AuthorDate: 2025-05-26 23:42:30 +0000 Commit: Pierre Pronchery CommitDate: 2025-05-29 13:07:54 +0000 umb: avoid buffer overflow in umb_getinfobuf() umb_getinfobuf() is called with offs and size taken from messages sent by the USB device. The sanity check is not sufficient, due to a possible integer wrap. This can allow a broken or malicious USB device, or possibly the network operator, to cause a buffer overflow. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284906 Reported by: Robert Morris Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation --- sys/dev/usb/net/if_umb.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c index 50f481973be0..a7d3bb764a2b 100644 --- a/sys/dev/usb/net/if_umb.c +++ b/sys/dev/usb/net/if_umb.c @@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz, { offs = le32toh(offs); sz = le32toh(sz); - if (inlen >= offs + sz) { - memset(out, 0, outlen); + memset(out, 0, outlen); + if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz) memcpy(out, in + offs, MIN(sz, outlen)); - } } static inline int