https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284904
Bug ID: 284904
Summary: buffer overflow in if_umb.c umb_in_len2mask()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: usb
Assignee: usb@FreeBSD.org
Reporter: r...@lcs.mit.edu
umb_in_len2mask(mask, len) will write as many as len/8 bytes:
for (i = 0; i < len / 8; i++)
p[i] = 0xff;
len comes from a ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION
message from the USB device, and can be any uint32_t value. So a broken
or malicious USB device can cause a buffer overflow.
Here's a backtrace from just before a crash:
#0 umb_in_len2mask (mask=0xffffffc0826c69c0, len=50331648)
at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1448
#1 umb_add_inet_config (sc=0xffffffc094c4d000, ip=..., prefixlen=50331648,
gw=...) at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1778
#2 0xffffffc00026fe1e in umb_decode_ip_configuration (sc=0xffffffc094c4d000,
data=0xffffffd00cbb9330, len=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1855
#3 umb_decode_cid (sc=0xffffffc094c4d000, cid=<optimized out>,
data=0xffffffd00cbb9330, len=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:2685
#4 0xffffffc00026db7e in umb_decode_response (sc=0xffffffc094c4d000,
response=0xffffffd00cbb9300, len=128)
at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1355
#5 umb_get_response_task (msg=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/net/if_umb.c:1243
#6 0xffffffc0002552da in usb_process (arg=0xffffffc094c4d078)
at /usr/rtm/symbsd/src/sys/dev/usb/usb_process.c:160
#7 0xffffffc0003f8750 in fork_exit (callout=0xffffffc0002551de <usb_process>,
arg=0xffffffc094c4d078, frame=0xffffffc0826c6c40)
at /usr/rtm/symbsd/src/sys/kern/kern_fork.c:1152
#8 0xffffffc0007efbee in fork_trampoline ()
at /usr/rtm/symbsd/src/sys/riscv/riscv/swtch.S:370
--
You are receiving this mail because:
You are the assignee for the bug.
