From: Kalle Valo <kvalo@kernel.org>
To: Arend Van Spriel <aspriel@gmail.com>
Cc: Dokyung Song <dokyung.song@gmail.com>,
linux-wireless@vger.kernel.org,
Jisoo Jang <jisoo.jang@yonsei.ac.kr>,
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Subject: Re: [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker'
Date: Fri, 21 Oct 2022 17:53:54 +0300 [thread overview]
Message-ID: <87czali5x9.fsf@kernel.org> (raw)
In-Reply-To: <10230673-8dbe-bf67-ba76-9f8cdc35faf3@gmail.com> (Arend Van Spriel's message of "Fri, 21 Oct 2022 10:38:20 +0200")
Arend Van Spriel <aspriel@gmail.com> writes:
> On 10/21/2022 8:57 AM, Kalle Valo wrote:
>> Dokyung Song <dokyung.song@gmail.com> writes:
>>
>>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs
>>> when the device provides a 'bsscfgidx' equal to or greater than the
>>> buffer size. The patch adds a check that leads to a safe failure if that
>>> is the case.
>>>
>>> This fixes CVE-2022-3628.
>>>
>>> UBSAN: array-index-out-of-bounds in
>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
>>> index 52 is out of range for type 'brcmf_if *[16]'
>
> [...]
>
>>> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
>>> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
>>> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
>>> Reviewed-by: Arend van Spriel <aspriel@gmail.com>
>>> Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
>>> ---
>>> v1->v2: Addressed review comments
>>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number
>>>
>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>
>> Please include the driver name in the subject. And we prefer use
>> parenthesis with function names. So the subject should be:
>>
>> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
>>
>> I can fix that during commit.
>>
>> Should I queue this to v6.1?
>
> Please do. Probably good to add Cc: for stable. Should apply to older
> kernels as is.
Ok, I'll add that as well.
> btw. is there any formal way to reference CVE. There probably isn't as
> generally we don't require a CVE in kernel tree [1].
I'm not aware of any formal way to mark CVEs. If there are, please let
me know :)
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2022-10-21 14:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 6:13 [PATCH v3] wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker' Dokyung Song
2022-10-21 6:57 ` Kalle Valo
2022-10-21 8:38 ` Arend Van Spriel
2022-10-21 14:53 ` Kalle Valo [this message]
2022-10-22 5:15 ` Dokyung Song
2022-11-01 11:14 ` [v3] wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87czali5x9.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=aspriel@gmail.com \
--cc=dokyung.song@gmail.com \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=linux-wireless@vger.kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.