[Bug 284920] wild pointer dereference in if_umb.c umb_decap()

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 20 Feb 2025 10:14:58 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284920

            Bug ID: 284920
           Summary: wild pointer dereference in if_umb.c umb_decap()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: usb
          Assignee: usb@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

When processing a message produced by a USB device, umb_decap()
says:

        ptroff = UGETDW(hdr32->dwNdpIndex);
        ...;
        ptr16 = (struct ncm_pointer16 *)(buf + ptroff);
        psig = UGETDW(ptr16->dwSignature);

But ptroff can be any 32-bit value, so the a broken or malicious USB
device can cause ptr16 to point outside the message buffer.

Here's a backtrace just before a crash:

#0  umb_decap (sc=0xffffffc094c4d000, xfer=0xffffffd00cd06a78, frame=0)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:2185
#1  umb_rxeof (xfer=0xffffffd00cd06a78, status=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1944
#2  0xffffffc000259a16 in usbd_callback_wrapper (pq=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482
#3  0xffffffc00025ab56 in usb_command_wrapper (pq=0xffffffd00cd06860, 
    xfer=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188
#4  0xffffffc000259bba in usb_callback_proc (_pm=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345
#5  0xffffffc0002552da in usb_process (arg=0xffffffc09ddd8948)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_process.c:160

(gdb) print *(struct ncm_header32 *)buf
$6 = {dwSignature = "ncmh", wHeaderLength = "\020", wSequence = "\000", 
  dwBlockLength = "\000\000\000", dwNdpIndex = "\377\377\377\177"}
(gdb) print ptroff
$11 = 2147483647
(gdb) print buf
$12 = 0xffffffc09dded000 "ncmh\020"
(gdb) print ptr16
$13 = (struct ncm_pointer16 *) 0xffffffc11ddecfff

FreeBSD  15.0-CURRENT FreeBSD 15.0-CURRENT #469
main-n250999-c0872cef91fc-dirty: Thu Feb 20 04:20:41 EST 2025    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv

-- 
You are receiving this mail because:
You are the assignee for the bug.