From: Arend Van Spriel <aspriel@gmail.com>
To: Kalle Valo <kvalo@kernel.org>, Dokyung Song <dokyung.song@gmail.com>
Cc: linux-wireless@vger.kernel.org,
Jisoo Jang <jisoo.jang@yonsei.ac.kr>,
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Subject: Re: [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker'
Date: Fri, 21 Oct 2022 10:38:20 +0200 [thread overview]
Message-ID: <10230673-8dbe-bf67-ba76-9f8cdc35faf3@gmail.com> (raw)
In-Reply-To: <87v8od1x69.fsf@kernel.org>
On 10/21/2022 8:57 AM, Kalle Valo wrote:
> Dokyung Song <dokyung.song@gmail.com> writes:
>
>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs
>> when the device provides a 'bsscfgidx' equal to or greater than the
>> buffer size. The patch adds a check that leads to a safe failure if that
>> is the case.
>>
>> This fixes CVE-2022-3628.
>>
>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
>> index 52 is out of range for type 'brcmf_if *[16]'
[...]
>> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
>> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
>> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
>> Reviewed-by: Arend van Spriel <aspriel@gmail.com>
>> Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
>> ---
>> v1->v2: Addressed review comments
>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number
>>
>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>
> Please include the driver name in the subject. And we prefer use
> parenthesis with function names. So the subject should be:
>
> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
>
> I can fix that during commit.
>
> Should I queue this to v6.1?
Please do. Probably good to add Cc: for stable. Should apply to older
kernels as is.
btw. is there any formal way to reference CVE. There probably isn't as
generally we don't require a CVE in kernel tree [1].
Regards,
Arend
[1] https://docs.kernel.org/admin-guide/security-bugs.html
next prev parent reply other threads:[~2022-10-21 8:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 6:13 [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker' Dokyung Song
2022-10-21 6:57 ` Kalle Valo
2022-10-21 8:38 ` Arend Van Spriel [this message]
2022-10-21 14:53 ` Kalle Valo
2022-10-22 5:15 ` Dokyung Song
2022-11-01 11:14 ` [v3] wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10230673-8dbe-bf67-ba76-9f8cdc35faf3@gmail.com \
--to=aspriel@gmail.com \
--cc=dokyung.song@gmail.com \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.