From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Atul Gopinathan <atulgopinathan@gmail.com>
Subject: [PATCH 4.14 51/52] staging: rtl8192e: Change state information from u16 to u8
Date: Mon, 5 Apr 2021 10:54:17 +0200 [thread overview]
Message-ID: <20210405085023.646633642@linuxfoundation.org> (raw)
In-Reply-To: <20210405085021.996963957@linuxfoundation.org>
From: Atul Gopinathan <atulgopinathan@gmail.com>
commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.
The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
bytes in total while the operations performed on this array through-out
the code base are only 2 bytes.
The "CcxRmState" field is fed only 2 bytes of data using memcpy():
(In rtllib_rx.c:1972)
memcpy(network->CcxRmState, &info_element->data[4], 2)
With "info_element->data[]" being a u8 array, if 2 bytes are written
into "CcxRmState" (whose one element is u16 size), then the 2 u8
elements from "data[]" gets squashed and written into the first element
("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
fed with any data.
Same in file rtllib_rx.c:2522:
memcpy(dst->CcxRmState, src->CcxRmState, 2);
The above line duplicates "src" data to "dst" but only writes 2 bytes
(and not 4, which is the actual size). Again, only 1st element gets the
value while the 2nd element remains uninitialized.
This later makes operations done with CcxRmState unpredictable in the
following lines as the 1st element is having a squashed number while the
2nd element is having an uninitialized random number.
rtllib_rx.c:1973: if (network->CcxRmState[0] != 0)
rtllib_rx.c:1977: network->MBssidMask = network->CcxRmState[1] & 0x07;
network->MBssidMask is also of type u8 and not u16.
Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
data written into this array and read from it make sense and are not
random values.
NOTE: The wrong initialization of "CcxRmState" can be seen in the
following commit:
commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
The above commit created a file `rtl8192e/ieee80211.h` which used to
have the faulty line. The file has been deleted (or possibly renamed)
with the contents copied in to a new file `rtl8192e/rtllib.h` along with
additional code in the commit 94a799425eee (tagged in Fixes).
Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Cc: stable@vger.kernel.org
Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8192e/rtllib.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/rtl8192e/rtllib.h
+++ b/drivers/staging/rtl8192e/rtllib.h
@@ -1110,7 +1110,7 @@ struct rtllib_network {
bool bWithAironetIE;
bool bCkipSupported;
bool bCcxRmEnable;
- u16 CcxRmState[2];
+ u8 CcxRmState[2];
bool bMBssidValid;
u8 MBssidMask;
u8 MBssid[ETH_ALEN];
next prev parent reply other threads:[~2021-04-05 9:00 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-05 8:53 [PATCH 4.14 00/52] 4.14.229-rc1 review Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 01/52] selinux: vsock: Set SID for socket returned by accept() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 02/52] ipv6: weaken the v4mapped source check Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 03/52] ext4: fix bh ref count on error paths Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 04/52] rpc: fix NULL dereference on kmalloc failure Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 05/52] ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 06/52] ASoC: rt5651: " Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 07/52] ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 08/52] ASoC: es8316: Simplify adc_pga_gain_tlv table Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 09/52] ASoC: cs42l42: Fix mixer volume control Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 10/52] ASoC: cs42l42: Always wait at least 3ms after reset Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 11/52] powerpc: Force inlining of cpu_has_feature() to avoid build failure Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 12/52] vhost: Fix vhost_vq_reset() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 13/52] scsi: st: Fix a use after free in st_open() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 14/52] scsi: qla2xxx: Fix broken #endif placement Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 15/52] staging: comedi: cb_pcidas: fix request_irq() warn Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 16/52] staging: comedi: cb_pcidas64: " Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 17/52] ASoC: rt5659: Update MCLK rate in set_sysclk() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 18/52] ext4: do not iput inode under running transaction in ext4_rename() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 19/52] brcmfmac: clear EAP/association status bits on linkdown events Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 20/52] net: ethernet: aquantia: Handle error cleanup of start on open Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 21/52] appletalk: Fix skb allocation size in loopback case Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 22/52] net: wan/lmc: unregister device when no matching device is found Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 23/52] bpf: Remove MTU check in __bpf_skb_max_len Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 24/52] ALSA: usb-audio: Apply sample rate quirk to Logitech Connect Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 25/52] ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 26/52] ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 27/52] tracing: Fix stack trace event size Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 28/52] mm: fix race by making init_zero_pfn() early_initcall Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 29/52] drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 30/52] drm/amdgpu: check alignment on CPU page for bo map Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 31/52] reiserfs: update reiserfs_xattrs_initialized() condition Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 32/52] mm: memcontrol: fix NR_WRITEBACK leak in memcg and system stats Greg Kroah-Hartman
2021-04-05 8:53 ` [PATCH 4.14 33/52] mm: memcg: make sure memory.events is uptodate when waking pollers Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 34/52] mem_cgroup: make sure moving_account, move_lock_task and stat_cpu in the same cacheline Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 35/52] mm: fix oom_kill event handling Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 36/52] mm: writeback: use exact memcg dirty counts Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 37/52] pinctrl: rockchip: fix restore error in resume Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 38/52] extcon: Add stubs for extcon_register_notifier_all() functions Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 39/52] extcon: Fix error handling in extcon_dev_register Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 40/52] firewire: nosy: Fix a use-after-free bug in nosy_ioctl() Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 41/52] usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 42/52] USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 43/52] usb: musb: Fix suspend with devices connected for a64 Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 44/52] usb: xhci-mtk: fix broken streams issue on 0.96 xHCI Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 45/52] cdc-acm: fix BREAK rx code path adding necessary calls Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 46/52] USB: cdc-acm: untangle a circular dependency between callback and softint Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 47/52] USB: cdc-acm: downgrade message to debug Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 48/52] USB: cdc-acm: fix use-after-free after probe failure Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 49/52] usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference Greg Kroah-Hartman
2021-04-05 8:54 ` [PATCH 4.14 50/52] staging: rtl8192e: Fix incorrect source in memcpy() Greg Kroah-Hartman
2021-04-05 8:54 ` Greg Kroah-Hartman [this message]
2021-04-05 8:54 ` [PATCH 4.14 52/52] drivers: video: fbcon: fix NULL dereference in fbcon_cursor() Greg Kroah-Hartman
2021-04-05 17:57 ` [PATCH 4.14 00/52] 4.14.229-rc1 review Guenter Roeck
2021-04-06 7:14 ` Naresh Kamboju
2021-04-07 0:58 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210405085023.646633642@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=atulgopinathan@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).