All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dokyung Song <dokyung.song@gmail.com>
To: Kalle Valo <kvalo@kernel.org>
Cc: Arend Van Spriel <aspriel@gmail.com>,
	Dokyung Song <dokyung.song@gmail.com>,
	linux-wireless@vger.kernel.org,
	Jisoo Jang <jisoo.jang@yonsei.ac.kr>,
	Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Subject: Re: [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker'
Date: Sat, 22 Oct 2022 14:15:53 +0900	[thread overview]
Message-ID: <20221022051553.GA633896@laguna> (raw)
In-Reply-To: <87czali5x9.fsf@kernel.org>

On Fri, Oct 21, 2022 at 05:53:54PM +0300, Kalle Valo wrote:
> Arend Van Spriel <aspriel@gmail.com> writes:
> 
> > On 10/21/2022 8:57 AM, Kalle Valo wrote:
> >> Dokyung Song <dokyung.song@gmail.com> writes:
> >>
> >>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs
> >>> when the device provides a 'bsscfgidx' equal to or greater than the
> >>> buffer size. The patch adds a check that leads to a safe failure if that
> >>> is the case.
> >>>
> >>> This fixes CVE-2022-3628.
> >>>
> >>> UBSAN: array-index-out-of-bounds in
> >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> >>> index 52 is out of range for type 'brcmf_if *[16]'
> >
> > [...]
> >
> >>> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
> >>> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> >>> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> >>> Reviewed-by: Arend van Spriel <aspriel@gmail.com>
> >>> Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
> >>> ---
> >>> v1->v2: Addressed review comments
> >>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number
> >>>
> >>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++
> >>>   1 file changed, 4 insertions(+)
> >>
> >> Please include the driver name in the subject. And we prefer use
> >> parenthesis with function names. So the subject should be:
> >>
> >> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
> >>
> >> I can fix that during commit.

That would be greatly appreciated. Let me know if anything further needs fixing.

> >>
> >> Should I queue this to v6.1?
> >
> > Please do. Probably good to add Cc: for stable. Should apply to older
> > kernels as is.
> 
> Ok, I'll add that as well.
> 
> > btw. is there any formal way to reference CVE. There probably isn't as
> > generally we don't require a CVE in kernel tree [1].
> 
> I'm not aware of any formal way to mark CVEs. If there are, please let
> me know :)

I am not aware of any either. I looked at other commits and followed recent practice.

> 
> -- 
> https://patchwork.kernel.org/project/linux-wireless/list/
> 
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

  reply	other threads:[~2022-10-22  5:16 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-21  6:13 [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker' Dokyung Song
2022-10-21  6:57 ` Kalle Valo
2022-10-21  8:38   ` Arend Van Spriel
2022-10-21 14:53     ` Kalle Valo
2022-10-22  5:15       ` Dokyung Song [this message]
2022-11-01 11:14 ` [v3] wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221022051553.GA633896@laguna \
    --to=dokyung.song@gmail.com \
    --cc=aspriel@gmail.com \
    --cc=jisoo.jang@yonsei.ac.kr \
    --cc=kvalo@kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linuxlovemin@yonsei.ac.kr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.