ipheth: fix DPE OoB read

integrate upstream patches to fix DPE OoB read
1. fix possible overflow in DPE length check
2. check that DPE points past NCM header
3. use static NDP16 location in URB
4. refactor NCM datagram loop
5. break up NCM header size computation
6. fix DPE OoB read
7. document scope of NCM implementation

Signed-off-by: Georgi Valkov <[email protected]>

Author: httpstorm

target/linux/generic/pending-6.6/781-usbnet-ipheth-fix-possible-overflow-in-DPE-length-ch.patch

@@ -0,0 +1,35 @@
+From c219427ed296f94bb4b91d08626776dc7719ee27 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:03 +0100
+Subject: [PATCH 1/7] usbnet: ipheth: fix possible overflow in DPE length check
+
+Originally, it was possible for the DPE length check to overflow if
+wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
+read.
+
+Move the wDatagramIndex term to the other side of the inequality.
+
+An existing condition ensures that wDatagramIndex < urb->actual_length.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: [email protected]
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -243,8 +243,8 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 	while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+ 	       le16_to_cpu(dpe->wDatagramLength) != 0) {
+ 		if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+-		    le16_to_cpu(dpe->wDatagramIndex) +
+-		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length) {
++		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
++		    le16_to_cpu(dpe->wDatagramIndex)) {
+ 			dev->net->stats.rx_length_errors++;
+ 			return retval;
+ 		}

target/linux/generic/pending-6.6/782-usbnet-ipheth-check-that-DPE-points-past-NCM-header.patch

@@ -0,0 +1,34 @@
+From 429fa68b58cefb9aa9de27e4089637298b46b757 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:04 +0100
+Subject: [PATCH 2/7] usbnet: ipheth: check that DPE points past NCM header
+
+By definition, a DPE points at the start of a network frame/datagram.
+Thus it makes no sense for it to point at anything that's part of the
+NCM header. It is not a security issue, but merely an indication of
+a malformed DPE.
+
+Enforce that all DPEs point at the data portion of the URB, past the
+NCM header.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: [email protected]
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -242,7 +242,8 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 	dpe = ncm0->dpe16;
+ 	while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+ 	       le16_to_cpu(dpe->wDatagramLength) != 0) {
+-		if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
++		if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE ||
++		    le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+ 		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
+ 		    le16_to_cpu(dpe->wDatagramIndex)) {
+ 			dev->net->stats.rx_length_errors++;

target/linux/generic/pending-6.6/783-usbnet-ipheth-use-static-NDP16-location-in-URB.patch

@@ -0,0 +1,52 @@
+From 86586dcb75cb8fd062a518aca8ee667938b91efb Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:05 +0100
+Subject: [PATCH 3/7] usbnet: ipheth: use static NDP16 location in URB
+
+Original code allowed for the start of NDP16 to be anywhere within the
+URB based on the `wNdpIndex` value in NTH16. Only the start position of
+NDP16 was checked, so it was possible for even the fixed-length part
+of NDP16 to extend past the end of URB, leading to an out-of-bounds
+read.
+
+On iOS devices, the NDP16 header always directly follows NTH16. Rely on
+and check for this specific format.
+
+This, along with NCM-specific minimal URB length check that already
+exists, will ensure that the fixed-length part of NDP16 plus a set
+amount of DPEs fit within the URB.
+
+Note that this commit alone does not fully address the OoB read.
+The limit on the amount of DPEs needs to be enforced separately.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: [email protected]
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -226,15 +226,14 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 
+ 	ncmh = urb->transfer_buffer;
+ 	if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) ||
+-	    le16_to_cpu(ncmh->wNdpIndex) >= urb->actual_length) {
++	    /* On iOS, NDP16 directly follows NTH16 */
++	    ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) {
+ 		dev->net->stats.rx_errors++;
+ 		return retval;
+ 	}
+ 
+-	ncm0 = urb->transfer_buffer + le16_to_cpu(ncmh->wNdpIndex);
+-	if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN) ||
+-	    le16_to_cpu(ncmh->wHeaderLength) + le16_to_cpu(ncm0->wLength) >=
+-	    urb->actual_length) {
++	ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16);
++	if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) {
+ 		dev->net->stats.rx_errors++;
+ 		return retval;
+ 	}

target/linux/generic/pending-6.6/784-usbnet-ipheth-refactor-NCM-datagram-loop.patch

@@ -0,0 +1,101 @@
+From 2a9a196429e98fcc64078366c2679bc40aba5466 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:06 +0100
+Subject: [PATCH 4/7] usbnet: ipheth: refactor NCM datagram loop
+
+Introduce an rx_error label to reduce repetitions in the header
+signature checks.
+
+Store wDatagramIndex and wDatagramLength after endianness conversion to
+avoid repeated le16_to_cpu() calls.
+
+Rewrite the loop to return on a null trailing DPE, which is required
+by the CDC NCM spec. In case it is missing, fall through to rx_error.
+
+This change does not fix any particular issue. Its purpose is to
+simplify a subsequent commit that fixes a potential OoB read by limiting
+the maximum amount of processed DPEs.
+
+Cc: [email protected] # 6.5.x
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 42 ++++++++++++++++++++++------------------
+ 1 file changed, 23 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -213,9 +213,9 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 	struct usb_cdc_ncm_ndp16 *ncm0;
+ 	struct usb_cdc_ncm_dpe16 *dpe;
+ 	struct ipheth_device *dev;
++	u16 dg_idx, dg_len;
+ 	int retval = -EINVAL;
+ 	char *buf;
+-	int len;
+ 
+ 	dev = urb->context;
+ 
+@@ -227,39 +227,43 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 	ncmh = urb->transfer_buffer;
+ 	if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) ||
+ 	    /* On iOS, NDP16 directly follows NTH16 */
+-	    ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) {
+-		dev->net->stats.rx_errors++;
+-		return retval;
+-	}
++	    ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16)))
++		goto rx_error;
+ 
+ 	ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16);
+-	if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) {
+-		dev->net->stats.rx_errors++;
+-		return retval;
+-	}
++	if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN))
++		goto rx_error;
+ 
+ 	dpe = ncm0->dpe16;
+-	while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+-	       le16_to_cpu(dpe->wDatagramLength) != 0) {
+-		if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE ||
+-		    le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+-		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
+-		    le16_to_cpu(dpe->wDatagramIndex)) {
++	while (true) {
++		dg_idx = le16_to_cpu(dpe->wDatagramIndex);
++		dg_len = le16_to_cpu(dpe->wDatagramLength);
++
++		/* Null DPE must be present after last datagram pointer entry
++		 * (3.3.1 USB CDC NCM spec v1.0)
++		 */
++		if (dg_idx == 0 && dg_len == 0)
++			return 0;
++
++		if (dg_idx < IPHETH_NCM_HEADER_SIZE ||
++		    dg_idx >= urb->actual_length ||
++		    dg_len > urb->actual_length - dg_idx) {
+ 			dev->net->stats.rx_length_errors++;
+ 			return retval;
+ 		}
+ 
+-		buf = urb->transfer_buffer + le16_to_cpu(dpe->wDatagramIndex);
+-		len = le16_to_cpu(dpe->wDatagramLength);
++		buf = urb->transfer_buffer + dg_idx;
+ 
+-		retval = ipheth_consume_skb(buf, len, dev);
++		retval = ipheth_consume_skb(buf, dg_len, dev);
+ 		if (retval != 0)
+ 			return retval;
+ 
+ 		dpe++;
+ 	}
+ 
+-	return 0;
++rx_error:
++	dev->net->stats.rx_errors++;
++	return retval;
+ }
+ 
+ static void ipheth_rcvbulk_callback(struct urb *urb)

target/linux/generic/pending-6.6/785-usbnet-ipheth-break-up-NCM-header-size-computation.patch

@@ -0,0 +1,48 @@
+From efcbc678a14be268040ffc1fa33c98faf2d55141 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:07 +0100
+Subject: [PATCH 5/7] usbnet: ipheth: break up NCM header size computation
+
+Originally, the total NCM header size was computed as the sum of two
+vaguely labelled constants. While accurate, it wasn't particularly clear
+where they were coming from.
+
+Use sizes of existing NCM structs where available. Define the total
+NDP16 size based on the maximum amount of DPEs that can fit into the
+iOS-specific fixed-size header.
+
+This change does not fix any particular issue. Rather, it introduces
+intermediate constants that will simplify subsequent commits.
+It should also make it clearer for the reader where the constant values
+come from.
+
+Cc: [email protected] # 6.5.x
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -61,7 +61,18 @@
+ #define IPHETH_USBINTF_PROTO    1
+ 
+ #define IPHETH_IP_ALIGN		2	/* padding at front of URB */
+-#define IPHETH_NCM_HEADER_SIZE  (12 + 96) /* NCMH + NCM0 */
++/* On iOS devices, NCM headers in RX have a fixed size regardless of DPE count:
++ * - NTH16 (NCMH): 12 bytes, as per CDC NCM 1.0 spec
++ * - NDP16 (NCM0): 96 bytes, of which
++ *    - NDP16 fixed header: 8 bytes
++ *    - maximum of 22 DPEs (21 datagrams + trailer), 4 bytes each
++ */
++#define IPHETH_NDP16_MAX_DPE	22
++#define IPHETH_NDP16_HEADER_SIZE (sizeof(struct usb_cdc_ncm_ndp16) + \
++				  IPHETH_NDP16_MAX_DPE * \
++				  sizeof(struct usb_cdc_ncm_dpe16))
++#define IPHETH_NCM_HEADER_SIZE	(sizeof(struct usb_cdc_ncm_nth16) + \
++				 IPHETH_NDP16_HEADER_SIZE)
+ #define IPHETH_TX_BUF_SIZE      ETH_FRAME_LEN
+ #define IPHETH_RX_BUF_SIZE_LEGACY (IPHETH_IP_ALIGN + ETH_FRAME_LEN)
+ #define IPHETH_RX_BUF_SIZE_NCM	65536

target/linux/generic/pending-6.6/786-usbnet-ipheth-fix-DPE-OoB-read.patch

@@ -0,0 +1,37 @@
+From ee591f2b281721171896117f9946fced31441418 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:08 +0100
+Subject: [PATCH 6/7] usbnet: ipheth: fix DPE OoB read
+
+Fix an out-of-bounds DPE read, limit the number of processed DPEs to
+the amount that fits into the fixed-size NDP16 header.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: [email protected]
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -246,7 +246,7 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 		goto rx_error;
+ 
+ 	dpe = ncm0->dpe16;
+-	while (true) {
++	for (int dpe_i = 0; dpe_i < IPHETH_NDP16_MAX_DPE; ++dpe_i, ++dpe) {
+ 		dg_idx = le16_to_cpu(dpe->wDatagramIndex);
+ 		dg_len = le16_to_cpu(dpe->wDatagramLength);
+ 
+@@ -268,8 +268,6 @@ static int ipheth_rcvbulk_callback_ncm(s
+ 		retval = ipheth_consume_skb(buf, dg_len, dev);
+ 		if (retval != 0)
+ 			return retval;
+-
+-		dpe++;
+ 	}
+ 
+ rx_error:

target/linux/generic/pending-6.6/787-usbnet-ipheth-document-scope-of-NCM-implementation.patch

@@ -0,0 +1,37 @@
+From be154b598fa54136e2be17d6dd13c8a8bc0078ce Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <[email protected]>
+Date: Sun, 26 Jan 2025 00:54:09 +0100
+Subject: [PATCH 7/7] usbnet: ipheth: document scope of NCM implementation
+
+Clarify that the "NCM" implementation in `ipheth` is very limited, as
+iOS devices aren't compatible with the CDC NCM specification in regular
+tethering mode.
+
+For a standards-compliant implementation, one shall turn to
+the `cdc_ncm` module.
+
+Cc: [email protected] # 6.5.x
+Signed-off-by: Foster Snowhill <[email protected]>
+Reviewed-by: Jakub Kicinski <[email protected]>
+Signed-off-by: Paolo Abeni <[email protected]>
+---
+ drivers/net/usb/ipheth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -218,6 +218,14 @@ static int ipheth_rcvbulk_callback_legac
+ 	return ipheth_consume_skb(buf, len, dev);
+ }
+ 
++/* In "NCM mode", the iOS device encapsulates RX (phone->computer) traffic
++ * in NCM Transfer Blocks (similarly to CDC NCM). However, unlike reverse
++ * tethering (handled by the `cdc_ncm` driver), regular tethering is not
++ * compliant with the CDC NCM spec, as the device is missing the necessary
++ * descriptors, and TX (computer->phone) traffic is not encapsulated
++ * at all. Thus `ipheth` implements a very limited subset of the spec with
++ * the sole purpose of parsing RX URBs.
++ */
+ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ {
+ 	struct usb_cdc_ncm_nth16 *ncmh;