[Bug 284769] zyd_bulk_read_callback() can cause wild memory read

Wed, 12 Feb 2025 11:50:44 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284769

            Bug ID: 284769
           Summary: zyd_bulk_read_callback() can cause wild memory read
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: r...@lcs.mit.edu

If a USB device claiming to be a "zyd" generates a bulk data read
response with size less than sizeof(zyd_rx_desc), then this line in
if_zyd.c's zyd_bulk_read_callback() will call usbd_copy_out() with a
negative (thus unsigned huge) offset:

                usbd_copy_out(pc, actlen - sizeof(desc), &desc, sizeof(desc));

This causes usbd_copy_out()'s call to usbd_getpage() to produce a
res.buffer that's much too large, which usbd_copy_out() then passes to
memcpy():

                memcpy(ptr, res.buffer, res.length);

#0  usbd_get_page (pc=0xffffffc09ddefa20, offset=4294967289, 
    res=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/usb_busdma.c:91
#1  usbd_copy_out (cache=0xffffffc09ddefa20, offset=4294967289, 
    ptr=0xffffffc0826d5a60, len=8)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_busdma.c:288
#2  0xffffffc0002b1306 in zyd_bulk_read_callback (xfer=0xffffffc09ddef278, 
    error=USB_ERR_NORMAL_COMPLETION)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_zyd.c:2247
#3  0xffffffc000259b7e in usbd_callback_wrapper (pq=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482
#4  0xffffffc00025acbe in usb_command_wrapper (pq=0xffffffc09ddef060, 
    xfer=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188
#5  0xffffffc000259d22 in usb_callback_proc (_pm=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345
#6  0xffffffc000255442 in usb_process (arg=0xffffffc09ddd2948)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_process.c:160
#7  0xffffffc0003f63b2 in fork_exit (callout=0xffffffc000255346 <usb_process>, 
    arg=0xffffffc09ddd2948, frame=0xffffffc0826d5c40)
    at /usr/rtm/symbsd/src/sys/kern/kern_fork.c:1152
#8  0xffffffc0007ec67e in fork_trampoline ()
    at /usr/rtm/symbsd/src/sys/riscv/riscv/swtch.S:370

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to