From nobody Thu May 29 13:09:53 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b7RYH0pPkz5x0tc; Thu, 29 May 2025 13:09:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b7RYF5BLnz3fjS; Thu, 29 May 2025 13:09:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748524193; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=65BQsMa7G5jXL6ZsD1UC6C+JJpCGpE3QR/XxVfmqWQA=; b=jLn5k/nvy6WIELfBFMJlL6wytkf1I4DH+t22qvnT45H+08X2uHgR9vsB3p5K4//ust3jq3 Qi2Vmp8zy0mDWcwe/EFDnwyFCfgeb0oQkEpfaT6W9FZ8J+f9Z0v9/xjvymbDvu4h88AyJW 592N1uLBKDR7w/FX2dtCi2awKaNqY2doolKN+aZR2Y63xCXq9N4ev6BcUlbZBPWdUUpVbr dsYQ5G7CqYf/GDTQlbeVFYvmRbJtN696OS1UinX/NB7mHUYITqxGDunEBBkdc4/zVfYSx7 B0xITjT02cRq7mqii5WwlznyzHcDGbE0vt6JfzyLwNIJ+u3Bt4Yf1Xf3hu2JCQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1748524193; a=rsa-sha256; cv=none; b=Ixu4xL/8Ynh1QS+tyOdDjzpt86/q567mHwSyCtnR1D24GoZB9oO0TnysNo+gVW/gfjae9E zZQ4I7edPJLnIBtJIhIpYMyylw3Pi6MpkNylitoRzs6Gw+Z621AF90KZ54pVcN7/17Ky+4 YFB+EMfAdJ4j1TVSHsks1F4Kzih2BbLXAEP4TI1WfhCSdiEvwjV9Ms3bkG+PDxZvYA9wkL Tzt3U/gF0KLLMXHbIeQD/cH/alRUkKXGU72uAP/d3zaauTlzmZLfozmrPbGeO+0kTY6CTR gvxRsqNjGU8UBzWrVKicskUG2SS1mu/WqrpLa+XYDSUI/m2a2vD+P2+a1xd2BQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748524193; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=65BQsMa7G5jXL6ZsD1UC6C+JJpCGpE3QR/XxVfmqWQA=; b=g2+3jabbVmm8cYw9Ad7geH6PJ21l07ywZxQaHsPL+qsVHrnPBh/E1G6nx3TJdV8TAnvK4c 2c9diq+kgLbb53X7fkATPJeCXcZeKgP0I0pxPY1pvqUh3NTEcocpEk+AgfxL7dHN83yGck VFUDiu4GriE3k7LQhFBuZh+zaXnKACPcDh0KX961Qj3P8vl8nEpzZ9Ls5qdcCiEPdDZ0YY kA1jpcMEy7oxTxGqH6hiZfwQ12bxhTVMnMMR7aK8RbzH8Kh/qHH5cXNE4/oZ8e+SoKxj9v qCdZCLGaTi4PTJ2dAGp2maCTgfOMz2JjI1kdlbouByVLiKHOEB6kjVbpnsrNng== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b7RYF4gp2z1MF7; Thu, 29 May 2025 13:09:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54TD9rAD061672; Thu, 29 May 2025 13:09:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54TD9rmS061669; Thu, 29 May 2025 13:09:53 GMT (envelope-from git) Date: Thu, 29 May 2025 13:09:53 GMT Message-Id: <202505291309.54TD9rmS061669@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pierre Pronchery Subject: git: 82c41c9ffc42 - main - umb: avoid wild pointer dereference in umb_decap() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: khorben X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 82c41c9ffc42b8e95eabae7cdc4e0bfbbcad51fb Auto-Submitted: auto-generated The branch main has been updated by khorben: URL: https://cgit.FreeBSD.org/src/commit/?id=82c41c9ffc42b8e95eabae7cdc4e0bfbbcad51fb commit 82c41c9ffc42b8e95eabae7cdc4e0bfbbcad51fb Author: Pierre Pronchery AuthorDate: 2025-05-27 00:10:49 +0000 Commit: Pierre Pronchery CommitDate: 2025-05-29 13:07:57 +0000 umb: avoid wild pointer dereference in umb_decap() When processing messages produced by the USB device, umb_decap() trusts ptroff and later dlen and doff with pointer arithmetic, without sufficient sanity checks. The resulting pointer address may be outside of the valid boundary, causing the wrong memory to be copied or a page fault. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284920 Reported by: Robert Morris Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation --- sys/dev/usb/net/if_umb.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c index a7d3bb764a2b..5703bc03dd39 100644 --- a/sys/dev/usb/net/if_umb.c +++ b/sys/dev/usb/net/if_umb.c @@ -2147,10 +2147,12 @@ umb_decap(struct umb_softc *sc, struct usb_xfer *xfer, int frame) goto fail; } + if (len < ptroff) + goto toosmall; ptr16 = (struct ncm_pointer16 *)(buf + ptroff); psig = UGETDW(ptr16->dwSignature); ptrlen = UGETW(ptr16->wLength); - if (len < ptrlen + ptroff) + if ((uint64_t)len < (uint64_t)ptrlen + (uint64_t)ptroff) goto toosmall; if (!MBIM_NCM_NTH16_ISISG(psig) && !MBIM_NCM_NTH32_ISISG(psig)) { DPRINTF("%s: unsupported NCM pointer signature (0x%08x)\n", @@ -2197,7 +2199,7 @@ umb_decap(struct umb_softc *sc, struct usb_xfer *xfer, int frame) /* Terminating zero entry */ if (dlen == 0 || doff == 0) break; - if (len < dlen + doff) { + if ((uint64_t)len < (uint64_t)dlen + (uint64_t)doff) { /* Skip giant datagram but continue processing */ DPRINTF("%s: datagram too large (%d @ off %d)\n", DEVNAM(sc), dlen, doff);