[Bug 284906] if_umb.c umb_getinfobuf() buffer overflow

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284906] if_umb.c umb_getinfobuf() buffer overflow"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284906] if_umb.c umb_getinfobuf() buffer overflow"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284906] if_umb.c umb_getinfobuf() buffer overflow"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 19 Feb 2025 19:24:01 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284906

            Bug ID: 284906
           Summary: if_umb.c umb_getinfobuf() buffer overflow
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: usb
          Assignee: usb@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

if_umb.c calls umb_getinfobuf() with offs and size taken from messages
sent by the USB device. The "inlen >= offs + sz" check isn't
sufficient due to possible integer wrap. This can allow a broken or
malicious USB device to cause a buffer overflow.

static inline void
umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz,
    void *out, size_t outlen)
{
        offs = le32toh(offs);
        sz = le32toh(sz);
        if (inlen >= offs + sz) {
                memset(out, 0, outlen);
                memcpy(out, in + offs, MIN(sz, outlen));
        }
}

Here's a backtrace from just before a crash:

#0  umb_getinfobuf (in=0xffffffd00cbb8330 "", inlen=80, offs=1679818755, 
    sz=2615148541, out=0xffffffc094c4d338, outlen=40)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1402
#1  umb_decode_register_state (sc=0xffffffc094c4d000, data=0xffffffd00cbb8330, 
    len=80) at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1468
#2  umb_decode_cid (sc=0xffffffc094c4d000, cid=<optimized out>, 
    data=0xffffffd00cbb8330, len=80)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:2673
#3  0xffffffc00026db7e in umb_decode_response (sc=0xffffffc094c4d000, 
    response=0xffffffd00cbb8300, len=128)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1355
#4  umb_get_response_task (msg=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1243
#5  0xffffffc0002552da in usb_process (arg=0xffffffc094c4d078)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_process.c:160
#6  0xffffffc0003f8740 in fork_exit (callout=0xffffffc0002551de <usb_process>, 
    arg=0xffffffc094c4d078, frame=0xffffffc0826c6c40)
    at /usr/rtm/symbsd/src/sys/kern/kern_fork.c:1152
#7  0xffffffc0007efbde in fork_trampoline ()
    at /usr/rtm/symbsd/src/sys/riscv/riscv/swtch.S:370

(gdb) print offs
$4 = 1679818755
(gdb) print sz
$5 = 2615148541
(gdb) print offs + sz
$7 = 0

-- 
You are receiving this mail because:
You are the assignee for the bug.