From nobody Tue Feb 18 10:58:41 2025 X-Original-To: wireless@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YxxN136nNz5nQPy for ; Tue, 18 Feb 2025 10:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YxxN12Vn1z44KD for ; Tue, 18 Feb 2025 10:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739876321; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BimcYFakLAjERNWz4Seq5nwZD5i6UgUZJ92rWxnTfTA=; b=HE0HQr8VqMxS46ElLPUNSeZ8wETFhZF93tTCXweKYxIMRDZ/CArhNlgdY9Fa0J17Sk7GR1 27CWSH3nwVLhqytL3yZHDgfPifjafqrVAeoMQKMSM1GCWbI2N/AwyiKHu82Xj366Q5/UCj EUXkGSuyh1j132zpb4nZO5+XqJWsrXp5Oy7UXfS3ewnTnyt3ERIb7wT3yXNtKmDqAFjPjk dXBAFtncFyWQGFoRabyVoQKI3Bmdm9Dy71DbBb0RZpxszJP8xkT0UlVJkRE1TUQzzgbglz C5O2Gqpis8UNQUM9B7hXZ9QbXGRo4OKombaTYrYxx9Giqfo7G1oxLN3zOxaAag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739876321; a=rsa-sha256; cv=none; b=MAXWSH1WH+19xY654lIt1TxquL/FiXcG2bJNmrKtR9JzE1NNKjnxq+RPnHDHORzsq4S4/r ZZpk4cGOrZ1kL8iGr2GnU3yBvrtOCOXxOqUAc52Z8HwnF3bvtMutF+2aKVQlaDERx62guH ZwuW6CwR5jCjdF2j5ZmWAK6FOgRsl1RcsidhEUOjebS1xpqBfFHacQ0KBszodhQJhwFAIN IyoKHiSf5N/xyCzMQZ27vUGJcCSaPhIW0/8YyXZoHjmIFQIRPybrmUDhneCK3Z5rpE2hXf m1cT7/ttzaRCPooik7/QSEAZg8MGpVkt7+FfVtSLGJ44qlOwSlWZVwvu0cLsNQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739876321; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BimcYFakLAjERNWz4Seq5nwZD5i6UgUZJ92rWxnTfTA=; b=TcfEPm2sGGmzXgXVpMuVqPt8SpXSO+0Q/fpMHZCJdw6samWyo+eMTts9Fwf8JmqQKxAEFp yzHyRVzdW7K2cB2QuY3frCs9FW/p64rwzaRtQd4LpeerHGDipIgB+FMTwS29nLOTN+q46/ vy3ALZ+1LC2jc/Ka/rjx61aTZa6nBHwQK7ckD29zoiqHwMiAzreyh5dZw8oHtbZw3wziI/ t5uioc02ZUwii/ekyKgwKHuJaqh6UiXe3nfT1SzySggP4VKAMKTzgd4s4ZbmXRhAhoBiqi FAOxOua35cAxMTE/oIOQK05224NtoC/90v7gwACeFCdWGGD4nFejr/cQMGyaWQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YxxN11djGz1pG for ; Tue, 18 Feb 2025 10:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 51IAwfKU041902 for ; Tue, 18 Feb 2025 10:58:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 51IAwfaR041901 for wireless@FreeBSD.org; Tue, 18 Feb 2025 10:58:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 284876] two problems in if_upgt.c Date: Tue, 18 Feb 2025 10:58:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: wireless X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: wireless@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussions List-Archive: https://lists.freebsd.org/archives/freebsd-wireless List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-wireless@freebsd.org Sender: owner-freebsd-wireless@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284876 Bug ID: 284876 Summary: two problems in if_upgt.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: rtm@lcs.mit.edu 1) upgt_tx_done() in if_upgt.c unlocks: if (freed !=3D 0) { UPGT_UNLOCK(sc); ...; upgt_start(sc); UPGT_LOCK(sc); } but upgt_start() starts with: UPGT_ASSERT_LOCKED(sc); 2) A malicious USB device can cause a buffer overflow in upgt_rxeof(), since eeprom->offset and eeprom->len (and the copied bytes in data->buf) are supplied by the device, but sc->sc_eeprom is only 2*8192 bytes long. if (h1_type =3D=3D UPGT_H1_TYPE_CTRL && h2_type =3D=3D UPGT_H2_TYPE= _EEPROM) { eeprom =3D (struct upgt_lmac_eeprom *)(data->buf + 4); uint16_t eeprom_offset =3D le16toh(eeprom->offset); uint16_t eeprom_len =3D le16toh(eeprom->len); ...; memcpy(sc->sc_eeprom + eeprom_offset, data->buf + sizeof(struct upgt_lmac_eeprom) + 4, eeprom_len); #define UPGT_EEPROM_SIZE 8192 uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(= 4); --=20 You are receiving this mail because: You are the assignee for the bug.=