From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 04E1A3FC1 for ; Tue, 24 Aug 2021 07:46:49 +0000 (UTC) Received: by mail-ej1-f52.google.com with SMTP id u3so42456096ejz.1 for ; Tue, 24 Aug 2021 00:46:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=VsqAfZyJN9OD0IHKahj/HoL7bz40akh7jyRwrbfEuro=; b=sYIl27axHaB+KXgccTTOy8Qba71m+Sa9jlXykBz++PO0nNjkG8wWEE3xuRhGlQrvt9 a+ohGsHPJr6zRAsi3BIRyW3sUNSkgh8NhllNXtp3JyY6G4Zz3EO1ZhMnfZr/sUcivssh AXwbez1OHsikoUQSjOUhUcCPswF0hx6/JbsMLdkGbX+AKVcF9wIESmhc3hBQainRQmKa N+lwjoY8v1wdFBfvv0xjQdl6wphqmczUqkyoCN4dkZmJVrWLRsJ8m4D5zR+0SaBP+90A BukrkrvJe2xJK2Tp6XRcZkQ1KLy6ntQ2txeIjB3v/MRkaFRlWLLN4vKiT7Ov9DapqY+i 3RYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=VsqAfZyJN9OD0IHKahj/HoL7bz40akh7jyRwrbfEuro=; b=DOFqQm00FVvlNYoKSJLD7DGz0xUydYAcd8tUmbPzIHdgmeww+1s+Pv18CNeDWVgPWs IQtzHIIRvAEYvsh6CrpzhS/dkmSM/QYTluUkd0X/2hCt+LyYuHx8JkIyA0pu/T4vfHNO IuKybk+sFrDx+C9acbDi8MIiHSOl5bVcvVpAZNwaId2eojjrpAZkrr5GCwgVPb2osXby PaHMkGGU+DlXF05Md+Q4IdPNEJNLe/eYt99dzgzGuQiwr5SlBhtFsx3eH6VxohWI9nnD 2vN+mFoIrW3rhhzt9ZsBfC0gydEtnd/pecbGhoJmE5DC5v3URjzxuhIfY1jE3rCxIym5 WNpw== X-Gm-Message-State: AOAM532/Jn87kvT/IxJL05uoyaBBHh69PLj8mzOwkjScMQ87G5oTyCIy FRqISLx8GTKHNWdIyBNadN4= X-Google-Smtp-Source: ABdhPJxythtgfsRHsaQp3r6YiC/KoRrK4F8Sl2mh9Coz7edIEsHiRlIpTEGQe2OGXQoFhIDTZMERVQ== X-Received: by 2002:a17:906:25db:: with SMTP id n27mr38802644ejb.108.1629791208425; Tue, 24 Aug 2021 00:46:48 -0700 (PDT) Received: from agape.jhs ([5.171.73.5]) by smtp.gmail.com with ESMTPSA id s2sm1524732ejx.23.2021.08.24.00.46.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Aug 2021 00:46:48 -0700 (PDT) Date: Tue, 24 Aug 2021 09:46:44 +0200 From: Fabio Aiuto To: iLifetruth Cc: gregkh@linuxfoundation.org, ross.schm.dev@gmail.com, marcocesati@gmail.com, insafonov@gmail.com, linux-kernel@vger.kernel.org, Qiang Liu , yajin@vm-kernel.org, hdegoede@redhat.com, Larry.Finger@lwfinger.net, Martin Kaiser , Phillip Potter , Michael Straube , fmdefrancesco@gmail.com, linux-staging@lists.linux.dev, paskripkin@gmail.com Subject: Re: staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs Message-ID: <20210824074643.GA1731@agape.jhs> References: <20210823170624.GA1420@agape.jhs> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Hello, [sorry for resend, I updated the CC field] On Tue, Aug 24, 2021 at 03:04:04PM +0800, iLifetruth wrote: > Here are the fixes and the contents of the patch file we suggest. > > [PATCH]staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan() > > This fixing patch is ported from the upstream commit > 74b6b20df8cf(staging: rtl8188eu: prevent ->ssid overflow in > rtw_wx_set_scan()) which fixes on another driver numbered rtl8188eu. > This code has a check to prevent read overflow but it needs another > check to prevent writing beyond the end of the ->ssid[] array in > driver rtl8723bs. > > --- > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > index f95000df8942..3b859b71bf43 100644 > --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > @@ -1222,9 +1222,9 @@ static int rtw_wx_set_scan(struct net_device > *dev, struct iw_request_info *a, > > sec_len = *(pos++); len -= 1; > > - if (sec_len > 0 && sec_len <= len) { > + if (sec_len > 0 && sec_len <= len && > sec_len<= 32) { > ssid[ssid_index].SsidLength = sec_len; > - memcpy(ssid[ssid_index].Ssid, > pos, ssid[ssid_index].SsidLength); > + memcpy(ssid[ssid_index].Ssid, > pos, sec_len); > ssid_index++; > } > > -- > > Thanks for your confirmation, > - iLifetruth > the patch looks fine. Just some points: - If the patch related to wext support removal will be accepted, the patch isn't necessary. So I will wait until I know the community-maintainer decision. > > On Tue, Aug 24, 2021 at 10:07 AM iLifetruth wrote: > > > > I haven't committed the patch yet since the Linux staging tree may > > seem special. It's not clear to me where to submit the patch. So could > > you please fix it? > > > > Regards and thanks for your confirmation, > > - iLifetruth > > > > > > On Tue, Aug 24, 2021 at 1:08 AM Fabio Aiuto wrote: > > > > > > Hello, > > > > > > On Mon, Aug 23, 2021 at 11:19:09PM +0800, iLifetruth wrote: > > > > Hi, in the latest version of Linux staging tree, we may have found an > > > > unfixed security bug in the staging/driver/rtl8723bs related to the > > > > CVE-2021-28660. Now, we would like to contact you to confirm this > > > > problem. > > > > > > > > =========== > > > > Here is the description of CVE-2021-28660: > > > > > > > > "It was discovered that the rtl8188eu WiFi driver did not correctly > > > > limit the length of SSIDs copied into scan results. An attacker within > > > > WiFi range could use this to cause a denial of service (crash or > > > > memory corruption) or possibly to execute code on a vulnerable > > > > system." > > > > > > > > =========== > > > > The staging driver "rtl8188eu" was fixed by commit > > > > 74b6b20df8cfe90ada777d621b54c32e69e27cd7 on 2021-03-10. - The driver rtl8188eu is deprecated. Now exists r8188eu which has the same security bug, so it needs to be fixed. Again feel free to submit your own patch. - If you decide to submit your own patch I suggest to put your full name in the email address as you submitted a legal document. vim 409+ Documentation/process/submitting-patches.rst > > > > > > > > However, in another similar staging driver numbered "rtl8723bs", a > > > > function named “rtw_wx_set_scan” remains the same problem unfixed. And > > > > it is detected in the > > > > “drivers/staging/rtl8723bs/os_dep/ioctl_linux.c#Line1354" without > > > > checking to prevent writing beyond the end of the ->ssid[] array. > > > > > > > > Therefore, shall we port the same fix from RTL8188EU to RTL8723BS? > > > > > > I think it's a good idea, moreover I've just sent a patch series > > > aimed at removing that piece of code for it belongs to very > > > old wext implementation. > > > > > > But until it's not accepted by the maintainer that security bug > > > is present and harmful. If you fix it thank you, if you don't > > > thank you for reporting this, I will fix as soon as possible. > > > > > > > > > > > Thank you! > > > > > > thank you, > > > > > > fabio thank you for your report, fabio