From 389d05a87c457e843c311a53cbf67dd9064fa3da Mon Sep 17 00:00:00 2001 From: stsp Date: Mon, 29 Aug 2022 17:59:12 +0000 Subject: [PATCH] Fix integer overflows in iwm(4) and iwx(4) firmware file parsers. Found by hshoexer and gerhard@, and reported to me by Christian Ehrhardt. ok gerhard@ --- sys/dev/pci/if_iwm.c | 9 ++++++++- sys/dev/pci/if_iwx.c | 13 +++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index 0bc32b52e41..b7d37d7182e 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.403 2022/07/11 11:28:37 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.404 2022/08/29 17:59:12 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -1015,6 +1015,13 @@ iwm_read_firmware(struct iwm_softc *sc) goto parse_out; } + /* + * Check for size_t overflow and ignore missing padding at + * end of firmware file. + */ + if (roundup(tlv_len, 4) > len) + break; + len -= roundup(tlv_len, 4); data += roundup(tlv_len, 4); } diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c index 9497ddbe2e6..f4dc3de32d8 100644 --- a/sys/dev/pci/if_iwx.c +++ b/sys/dev/pci/if_iwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwx.c,v 1.149 2022/05/14 05:42:39 stsp Exp $ */ +/* $OpenBSD: if_iwx.c,v 1.150 2022/08/29 17:59:12 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -1566,6 +1566,13 @@ iwx_read_firmware(struct iwx_softc *sc) goto parse_out; } + /* + * Check for size_t overflow and ignore missing padding at + * end of firmware file. + */ + if (roundup(tlv_len, 4) > len) + break; + len -= roundup(tlv_len, 4); data += roundup(tlv_len, 4); } @@ -3986,6 +3993,8 @@ iwx_pnvm_handle_section(struct iwx_softc *sc, const uint8_t *data, break; } + if (roundup(tlv_len, 4) > len) + break; len -= roundup(tlv_len, 4); data += roundup(tlv_len, 4); } @@ -4024,7 +4033,7 @@ iwx_pnvm_parse(struct iwx_softc *sc, const uint8_t *data, size_t len) tlv_len = le32toh(tlv->length); tlv_type = le32toh(tlv->type); - if (len < tlv_len) + if (len < tlv_len || roundup(tlv_len, 4) > len) return EINVAL; if (tlv_type == IWX_UCODE_TLV_PNVM_SKU) { -- 2.20.1