From patchwork Fri Apr 14 10:11:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Greenman, Gregory" X-Patchwork-Id: 673349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9E5CC77B6E for ; Fri, 14 Apr 2023 10:14:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229871AbjDNKOg (ORCPT ); Fri, 14 Apr 2023 06:14:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229841AbjDNKOf (ORCPT ); Fri, 14 Apr 2023 06:14:35 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E3312D6B for ; Fri, 14 Apr 2023 03:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1681467237; x=1713003237; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+92juXt6V26BBvbcrT5VRudgMZ9MlCp4R6jkxhrzGK4=; b=etEYY3loetVB5Jbfqr6Kpryklw1iVyr1RK8jLD3+J+vOycu+Ti5+yEq0 6lCys3GdqHeeuRKnx514jQ/Hnycx8IVz/2vffQos2C/jNh8TuP2hlib/G idECNmMYN6VYuT+2FQ/geEZ7+R/qEAERx+cAai9HW7+8dhoMdq3hEbeVe 5BpGU7IL9MlRtVvhjPt2KFBEQLVOU2d6Y9r4HEHuOp6Ef+k8YFXFY0rX+ c5t6XP8IJqY/+CTYyXF15VdXS6Jsm7IWipcTxLRlRDRQPoec6BkY+rQb8 3XpFB/hfN40wla1TNXNEy5TWbi+sC7PdjypzJTvPyAseZB0fnHlkb+c4w A==; X-IronPort-AV: E=McAfee;i="6600,9927,10679"; a="346263625" X-IronPort-AV: E=Sophos;i="5.99,195,1677571200"; d="scan'208";a="346263625" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Apr 2023 03:12:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10679"; a="692351737" X-IronPort-AV: E=Sophos;i="5.99,195,1677571200"; d="scan'208";a="692351737" Received: from yalankry-mobl.ger.corp.intel.com (HELO ggreenma-mobl2.lan) ([10.214.233.156]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Apr 2023 03:12:34 -0700 From: gregory.greenman@intel.com To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Hyunwoo Kim , Gregory Greenman Subject: [PATCH 08/15] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Date: Fri, 14 Apr 2023 13:11:59 +0300 Message-Id: <20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230414101206.1170180-1-gregory.greenman@intel.com> References: <20230414101206.1170180-1-gregory.greenman@intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Hyunwoo Kim An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) *size = buf_size_left; If the user passes a SIZE_MAX value to the "ssize_t count" parameter, the ssize_t count parameter is assigned to "int buf_size_left". Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a negative number, so "*size" is assigned "buf_size_left" and goes into the third argument of the copy_to_user function, causing a heap overflow. This is not a security vulnerability because iwl_dbgfs_monitor_data_read() is a debugfs operation with 0400 privileges. Signed-off-by: Hyunwoo Kim Signed-off-by: Gregory Greenman --- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c index 40283fe622da..1b32a4035d88 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c @@ -2860,7 +2860,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { - int buf_size_left = count - *bytes_copied; + ssize_t buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left)