Re: staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs

[iLifetruth <yixiaonn@gmail.com>]

Here are the fixes and the contents of the patch file we suggest.

[PATCH]staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan()

This fixing patch is ported from the upstream commit
74b6b20df8cf(staging: rtl8188eu: prevent ->ssid overflow in
rtw_wx_set_scan()) which fixes on another driver numbered rtl8188eu.
This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->ssid[] array in
driver rtl8723bs.

---
 drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index f95000df8942..3b859b71bf43 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -1222,9 +1222,9 @@ static int rtw_wx_set_scan(struct net_device
*dev, struct iw_request_info *a,

                                sec_len = *(pos++); len -= 1;

-                               if (sec_len > 0 && sec_len <= len) {
+                               if (sec_len > 0 && sec_len <= len &&
sec_len<= 32) {
                                        ssid[ssid_index].SsidLength = sec_len;
-                                       memcpy(ssid[ssid_index].Ssid,
pos, ssid[ssid_index].SsidLength);
+                                       memcpy(ssid[ssid_index].Ssid,
pos, sec_len);
                                        ssid_index++;
                                }

--

Thanks for your confirmation,
- iLifetruth


On Tue, Aug 24, 2021 at 10:07 AM iLifetruth <yixiaonn@gmail.com> wrote:
>
> I haven't committed the patch yet since the Linux staging tree may
> seem special. It's not clear to me where to submit the patch. So could
> you please fix it?
>
> Regards and thanks for your confirmation,
> - iLifetruth
>
>
> On Tue, Aug 24, 2021 at 1:08 AM Fabio Aiuto <fabioaiuto83@gmail.com> wrote:
> >
> > Hello,
> >
> > On Mon, Aug 23, 2021 at 11:19:09PM +0800, iLifetruth wrote:
> > > Hi, in the latest version of Linux staging tree, we may have found an
> > > unfixed security bug in the staging/driver/rtl8723bs related to the
> > > CVE-2021-28660. Now, we would like to contact you to confirm this
> > > problem.
> > >
> > > ===========
> > > Here is the description of CVE-2021-28660:
> > >
> > > "It was discovered that the rtl8188eu WiFi driver did not correctly
> > > limit the length of SSIDs copied into scan results. An attacker within
> > > WiFi range could use this to cause a denial of service (crash or
> > > memory corruption) or possibly to execute code on a vulnerable
> > > system."
> > >
> > > ===========
> > > The staging driver "rtl8188eu" was fixed by commit
> > > 74b6b20df8cfe90ada777d621b54c32e69e27cd7 on 2021-03-10.
> > >
> > > However, in another similar staging driver numbered "rtl8723bs", a
> > > function named “rtw_wx_set_scan” remains the same problem unfixed. And
> > > it is detected in the
> > > “drivers/staging/rtl8723bs/os_dep/ioctl_linux.c#Line1354" without
> > > checking to prevent writing beyond the end of the ->ssid[] array.
> > >
> > > Therefore, shall we port the same fix from RTL8188EU to RTL8723BS?
> >
> > I think it's a good idea, moreover I've just sent a patch series
> > aimed at removing that piece of code for it belongs to very
> > old wext implementation.
> >
> > But until it's not accepted by the maintainer that security bug
> > is present and harmful. If you fix it thank you, if you don't
> > thank you for reporting this, I will fix as soon as possible.
> >
> > >
> > > Thank you!
> >
> > thank you,
> >
> > fabio