potential buffer overrun in p54_rx_eeprom_readback()

rtm@xxxxxxxxxxxxx · Wed, 14 May 2025 17:33:34 -0400

If a malicious USB device pretends to be an Intersil p54 wifi
interface and generates an eeprom_readback message with a large
eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the
message beyond the end of priv->eeprom.

static void p54_rx_eeprom_readback(struct p54_common *priv,
                                   struct sk_buff *skb)
{
        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;

        if (priv->fw_var >= 0x509) {
                memcpy(priv->eeprom, eeprom->v2.data,
                       le16_to_cpu(eeprom->v2.len));
        } else {
                memcpy(priv->eeprom, eeprom->v1.data,
                       le16_to_cpu(eeprom->v1.len));
        }

priv->eeprom is allocated in p54_read_eeprom() with length 0x2020.

I've attached a demo, using usbip, that puts 0xffff in eeprom->v1.len.

#  uname -a
Linux xxx 6.15.0-rc5-00136-g9c69f8884904 #20 SMP PREEMPT_DYNAMIC Wed May 14 16:45:28 EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
# cc usbis2c.c
# ./a.out
[  144.779715] ieee80211 phy1: unexpected end of eeprom data.
[  144.780624] ieee80211 phy1: eeprom parse failed!
[  146.100021] p54usb 1-1:1.0: failed to initialize device (-61)
[  146.101718] BUG: kernel NULL pointer dereference, address: 0000000000000010
[  146.102814] #PF: supervisor read access in kernel mode
[  146.103629] #PF: error_code(0x0000) - not-present page
[  146.104438] PGD 0 P4D 0
[  146.104862] Oops: Oops: 0000 [#1] SMP PTI
[  146.105514] CPU: 2 UID: 0 PID: 448 Comm: systemd-udevd Not tainted 6.15.0-rc5-00136-g9c69f8884904 #20 PREEMPT(voluntary)
[  146.106265] Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
[  146.106608] RIP: 0010:selinux_socket_sendmsg+0x55/0xe0
[  146.106926] Code: 00 00 48 89 d7 49 8b b0 90 02 00 00 48 c7 44 24 08 00 00 00 00 48 c7 44 24 10 00 00 00 00 48 c7 44 24 18 00 00 0
0 00 f3 48 ab <8b> 4e 10 83 f9 01 74 64 0f b6 3d f6 f2 10 02 40 80 ff 01 74 05 83
[  146.107900] RSP: 0018:ffff8bea407e3c48 EFLAGS: 00010246
[  146.108181] RAX: 0000000000000000 RBX: ffff89f60736b4c0 RCX: 0000000000000000
[  146.108560] RDX: ffff8bea407e3c68 RSI: 0000000000000000 RDI: ffff8bea407e3ca0
[  146.108947] RBP: ffff8bea407e3ea0 R08: ffff89f602643e00 R09: 000000007ffff000
[  146.109332] R10: 000000007fffee68 R11: 00007ffffffff000 R12: 0000000000000199
[  146.109715] R13: ffff8bea407e3cd8 R14: ffff89f60736b4c0 R15: ffff8bea407e3cd8
[  146.110104] FS:  00007f47e33128c0(0000) GS:ffff89f973551000(0000) knlGS:0000000000000000
[  146.110530] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  146.110837] CR2: 0000000000000010 CR3: 0000000107698001 CR4: 00000000003706f0
[  146.111202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  146.111564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  146.111930] Call Trace:
[  146.112069]  <TASK>
[  146.112190]  security_socket_sendmsg+0x37/0x50
[  146.112428]  ____sys_sendmsg+0x235/0x330
[  146.112639]  ___sys_sendmsg+0x94/0xe0
[  146.112843]  ? stack_depot_save_flags+0x29/0x7f0
[  146.113096]  __sys_sendmsg+0x81/0xe0
[  146.113289]  do_syscall_64+0x9e/0x1a0
[  146.113490]  entry_SYSCALL_64_after_hwframe+0x77/0x7f

Robert Morris
rtm@xxxxxxx

Attachment:
usbis2c.c

Description: Binary data