* [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() [not found] <YEHymwsnHewzoam7@mwanda> @ 2022-05-18 7:00 ` Denis Efremov 2022-05-18 7:49 ` Denis Efremov 2022-05-19 15:45 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Greg KH 0 siblings, 2 replies; 15+ messages in thread From: Denis Efremov @ 2022-05-18 7:00 UTC (permalink / raw) To: Larry.Finger Cc: Denis Efremov, phil, gregkh, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> --- This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). Drivers r8188eu and rtl8188eu share the same code. drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c index eb9375b0c660..a2692ce02bc2 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, break; } sec_len = *(pos++); len -= 1; - if (sec_len > 0 && sec_len <= len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); ssid_index++; } pos += sec_len; -- 2.35.3 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-18 7:00 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov @ 2022-05-18 7:49 ` Denis Efremov 2022-05-19 15:40 ` Greg KH 2022-05-19 15:45 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Greg KH 1 sibling, 1 reply; 15+ messages in thread From: Denis Efremov @ 2022-05-18 7:49 UTC (permalink / raw) To: Larry.Finger Cc: phil, gregkh, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On 5/18/22 11:00, Denis Efremov wrote: > This code has a check to prevent read overflow but it needs another > check to prevent writing beyond the end of the ->Ssid[] array. > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> > --- > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). > Drivers r8188eu and rtl8188eu share the same code. I also found same code pattern in rtl8723bs driver in stable kernels 5.10, 5.4, 4.19, 4.14. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c?h=linux-5.10.y#n1354 I can send the same fix to stable trees if appropriate. > > drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > index eb9375b0c660..a2692ce02bc2 100644 > --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c > +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > @@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, > break; > } > sec_len = *(pos++); len -= 1; > - if (sec_len > 0 && sec_len <= len) { > + if (sec_len > 0 && > + sec_len <= len && > + sec_len <= 32) { > ssid[ssid_index].SsidLength = sec_len; > - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); > + memcpy(ssid[ssid_index].Ssid, pos, sec_len); > ssid_index++; > } > pos += sec_len; ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-18 7:49 ` Denis Efremov @ 2022-05-19 15:40 ` Greg KH 2022-05-20 3:57 ` [PATCH v5.10] staging: rtl8723bs: " Denis Efremov (Oracle) 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) 0 siblings, 2 replies; 15+ messages in thread From: Greg KH @ 2022-05-19 15:40 UTC (permalink / raw) To: Denis Efremov Cc: Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Wed, May 18, 2022 at 11:49:27AM +0400, Denis Efremov wrote: > > > On 5/18/22 11:00, Denis Efremov wrote: > > This code has a check to prevent read overflow but it needs another > > check to prevent writing beyond the end of the ->Ssid[] array. > > > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") > > Cc: stable <stable@vger.kernel.org> > > Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> > > --- > > > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). > > Drivers r8188eu and rtl8188eu share the same code. > > I also found same code pattern in rtl8723bs driver in > stable kernels 5.10, 5.4, 4.19, 4.14. > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c?h=linux-5.10.y#n1354 > I can send the same fix to stable trees if appropriate. Please do! thanks, greg k-h ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-19 15:40 ` Greg KH @ 2022-05-20 3:57 ` Denis Efremov (Oracle) 2022-05-23 15:26 ` Greg KH 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.10-stable tree gregkh 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) 1 sibling, 2 replies; 15+ messages in thread From: Denis Efremov (Oracle) @ 2022-05-20 3:57 UTC (permalink / raw) To: gregkh Cc: Denis Efremov (Oracle), Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index 902ac8169948..083ff72976cf 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, sec_len = *(pos++); len -= 1; - if (sec_len > 0 && sec_len <= len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; -- 2.35.3 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-20 3:57 ` [PATCH v5.10] staging: rtl8723bs: " Denis Efremov (Oracle) @ 2022-05-23 15:26 ` Greg KH 2022-05-23 17:41 ` Denis Efremov 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.10-stable tree gregkh 1 sibling, 1 reply; 15+ messages in thread From: Greg KH @ 2022-05-23 15:26 UTC (permalink / raw) To: Denis Efremov (Oracle) Cc: Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote: > This code has a check to prevent read overflow but it needs another > check to prevent writing beyond the end of the ->Ssid[] array. > > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> > --- > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) And only 5.10 needs this? What about all other kernel branches? thanks, greg k-h ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-23 15:26 ` Greg KH @ 2022-05-23 17:41 ` Denis Efremov 2022-05-26 12:05 ` Greg KH 0 siblings, 1 reply; 15+ messages in thread From: Denis Efremov @ 2022-05-23 17:41 UTC (permalink / raw) To: Greg KH Cc: Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable Hi, On 5/23/22 19:26, Greg KH wrote: > On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote: >> This code has a check to prevent read overflow but it needs another >> check to prevent writing beyond the end of the ->Ssid[] array. >> >> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") >> Cc: stable <stable@vger.kernel.org> >> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> >> --- >> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) > > And only 5.10 needs this? What about all other kernel branches? > From 5.10, 5.4, 4.19, to 4.14. There is a small spaces conflict in 5.4-4.14 kernels because of c77761d660a6 staging: rtl8723bs: Fix spacing issues I sent another patch to handle it. Thanks, Denis ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-23 17:41 ` Denis Efremov @ 2022-05-26 12:05 ` Greg KH 0 siblings, 0 replies; 15+ messages in thread From: Greg KH @ 2022-05-26 12:05 UTC (permalink / raw) To: Denis Efremov Cc: Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Mon, May 23, 2022 at 09:41:09PM +0400, Denis Efremov wrote: > Hi, > > On 5/23/22 19:26, Greg KH wrote: > > On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote: > >> This code has a check to prevent read overflow but it needs another > >> check to prevent writing beyond the end of the ->Ssid[] array. > >> > >> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > >> Cc: stable <stable@vger.kernel.org> > >> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> > >> --- > >> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- > >> 1 file changed, 4 insertions(+), 2 deletions(-) > > > > And only 5.10 needs this? What about all other kernel branches? > > > > >From 5.10, 5.4, 4.19, to 4.14. > > There is a small spaces conflict in 5.4-4.14 kernels because of > c77761d660a6 staging: rtl8723bs: Fix spacing issues > > I sent another patch to handle it. Thanks, all now queued up. greg k-h ^ permalink raw reply [flat|nested] 15+ messages in thread
* Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.10-stable tree 2022-05-20 3:57 ` [PATCH v5.10] staging: rtl8723bs: " Denis Efremov (Oracle) 2022-05-23 15:26 ` Greg KH @ 2022-05-26 12:05 ` gregkh 1 sibling, 0 replies; 15+ messages in thread From: gregkh @ 2022-05-26 12:05 UTC (permalink / raw) To: Larry.Finger, dan.carpenter, efremov, gregkh, linux-staging, phil, straube.linux Cc: stable-commits This is a note to let you know that I've just added the patch titled staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. From efremov@linux.com Thu May 26 14:03:56 2022 From: "Denis Efremov (Oracle)" <efremov@linux.com> Date: Fri, 20 May 2022 07:57:30 +0400 Subject: staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() To: gregkh@linuxfoundation.org Cc: "Denis Efremov (Oracle)" <efremov@linux.com>, Larry.Finger@lwfinger.net, phil@philpotter.co.uk, dan.carpenter@oracle.com, straube.linux@gmail.com, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, stable <stable@vger.kernel.org> Message-ID: <20220520035730.5533-1-efremov@linux.com> From: "Denis Efremov (Oracle)" <efremov@linux.com> This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_de sec_len = *(pos++); len -= 1; - if (sec_len > 0 && sec_len <= len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; Patches currently in stable-queue which might be from efremov@linux.com are queue-5.10/staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-19 15:40 ` Greg KH 2022-05-20 3:57 ` [PATCH v5.10] staging: rtl8723bs: " Denis Efremov (Oracle) @ 2022-05-23 17:39 ` Denis Efremov (Oracle) 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.14-stable tree gregkh ` (2 more replies) 1 sibling, 3 replies; 15+ messages in thread From: Denis Efremov (Oracle) @ 2022-05-23 17:39 UTC (permalink / raw) To: gregkh Cc: Denis Efremov (Oracle), Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index d8d44fd9a92f..ea2fd3a73c3a 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, sec_len = *(pos++); len-= 1; - if (sec_len>0 && sec_len<=len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; -- 2.36.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.14-stable tree 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) @ 2022-05-26 12:05 ` gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.19-stable tree gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.4-stable tree gregkh 2 siblings, 0 replies; 15+ messages in thread From: gregkh @ 2022-05-26 12:05 UTC (permalink / raw) To: Larry.Finger, dan.carpenter, efremov, gregkh, linux-staging, phil, straube.linux Cc: stable-commits This is a note to let you know that I've just added the patch titled staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. From efremov@linux.com Thu May 26 14:03:14 2022 From: "Denis Efremov (Oracle)" <efremov@linux.com> Date: Mon, 23 May 2022 21:39:43 +0400 Subject: staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() To: gregkh@linuxfoundation.org Cc: "Denis Efremov (Oracle)" <efremov@linux.com>, Larry.Finger@lwfinger.net, phil@philpotter.co.uk, dan.carpenter@oracle.com, straube.linux@gmail.com, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, stable <stable@vger.kernel.org> Message-ID: <20220523173943.12486-1-efremov@linux.com> From: "Denis Efremov (Oracle)" <efremov@linux.com> This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1438,9 +1438,11 @@ static int rtw_wx_set_scan(struct net_de sec_len = *(pos++); len-= 1; - if (sec_len>0 && sec_len<=len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; Patches currently in stable-queue which might be from efremov@linux.com are queue-4.14/staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch ^ permalink raw reply [flat|nested] 15+ messages in thread
* Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.19-stable tree 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.14-stable tree gregkh @ 2022-05-26 12:05 ` gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.4-stable tree gregkh 2 siblings, 0 replies; 15+ messages in thread From: gregkh @ 2022-05-26 12:05 UTC (permalink / raw) To: Larry.Finger, dan.carpenter, efremov, gregkh, linux-staging, phil, straube.linux Cc: stable-commits This is a note to let you know that I've just added the patch titled staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. From efremov@linux.com Thu May 26 14:03:14 2022 From: "Denis Efremov (Oracle)" <efremov@linux.com> Date: Mon, 23 May 2022 21:39:43 +0400 Subject: staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() To: gregkh@linuxfoundation.org Cc: "Denis Efremov (Oracle)" <efremov@linux.com>, Larry.Finger@lwfinger.net, phil@philpotter.co.uk, dan.carpenter@oracle.com, straube.linux@gmail.com, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, stable <stable@vger.kernel.org> Message-ID: <20220523173943.12486-1-efremov@linux.com> From: "Denis Efremov (Oracle)" <efremov@linux.com> This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1359,9 +1359,11 @@ static int rtw_wx_set_scan(struct net_de sec_len = *(pos++); len-= 1; - if (sec_len>0 && sec_len<=len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; Patches currently in stable-queue which might be from efremov@linux.com are queue-4.19/staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch ^ permalink raw reply [flat|nested] 15+ messages in thread
* Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.4-stable tree 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.14-stable tree gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.19-stable tree gregkh @ 2022-05-26 12:05 ` gregkh 2 siblings, 0 replies; 15+ messages in thread From: gregkh @ 2022-05-26 12:05 UTC (permalink / raw) To: Larry.Finger, dan.carpenter, efremov, gregkh, linux-staging, phil, straube.linux Cc: stable-commits This is a note to let you know that I've just added the patch titled staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. From efremov@linux.com Thu May 26 14:03:14 2022 From: "Denis Efremov (Oracle)" <efremov@linux.com> Date: Mon, 23 May 2022 21:39:43 +0400 Subject: staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() To: gregkh@linuxfoundation.org Cc: "Denis Efremov (Oracle)" <efremov@linux.com>, Larry.Finger@lwfinger.net, phil@philpotter.co.uk, dan.carpenter@oracle.com, straube.linux@gmail.com, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, stable <stable@vger.kernel.org> Message-ID: <20220523173943.12486-1-efremov@linux.com> From: "Denis Efremov (Oracle)" <efremov@linux.com> This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->Ssid[] array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_de sec_len = *(pos++); len-= 1; - if (sec_len>0 && sec_len<=len) { + if (sec_len > 0 && + sec_len <= len && + sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++; Patches currently in stable-queue which might be from efremov@linux.com are queue-5.4/staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-18 7:00 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov 2022-05-18 7:49 ` Denis Efremov @ 2022-05-19 15:45 ` Greg KH 2022-05-19 17:16 ` Dan Carpenter 1 sibling, 1 reply; 15+ messages in thread From: Greg KH @ 2022-05-19 15:45 UTC (permalink / raw) To: Denis Efremov Cc: Larry.Finger, phil, dan.carpenter, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote: > This code has a check to prevent read overflow but it needs another > check to prevent writing beyond the end of the ->Ssid[] array. > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> > --- > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). > Drivers r8188eu and rtl8188eu share the same code. This does not apply to my tree at all. This file is not present anymore, what tree did you make it against? confused, greg k-h ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-19 15:45 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Greg KH @ 2022-05-19 17:16 ` Dan Carpenter 2022-05-19 17:36 ` Greg KH 0 siblings, 1 reply; 15+ messages in thread From: Dan Carpenter @ 2022-05-19 17:16 UTC (permalink / raw) To: Greg KH Cc: Denis Efremov, Larry.Finger, phil, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Thu, May 19, 2022 at 05:45:31PM +0200, Greg KH wrote: > On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote: > > This code has a check to prevent read overflow but it needs another > > check to prevent writing beyond the end of the ->Ssid[] array. > > > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") > > Cc: stable <stable@vger.kernel.org> > > Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> > > --- > > > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). > > Drivers r8188eu and rtl8188eu share the same code. > > This does not apply to my tree at all. This file is not present anymore, > what tree did you make it against? > That's weird. It applies fine for me on today's linux-next. regards, dan carpenter ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() 2022-05-19 17:16 ` Dan Carpenter @ 2022-05-19 17:36 ` Greg KH 0 siblings, 0 replies; 15+ messages in thread From: Greg KH @ 2022-05-19 17:36 UTC (permalink / raw) To: Dan Carpenter Cc: Denis Efremov, Larry.Finger, phil, straube.linux, linux-staging, linux-kernel, kernel-janitors, stable On Thu, May 19, 2022 at 08:16:28PM +0300, Dan Carpenter wrote: > On Thu, May 19, 2022 at 05:45:31PM +0200, Greg KH wrote: > > On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote: > > > This code has a check to prevent read overflow but it needs another > > > check to prevent writing beyond the end of the ->Ssid[] array. > > > > > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") > > > Cc: stable <stable@vger.kernel.org> > > > Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> > > > --- > > > > > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660). > > > Drivers r8188eu and rtl8188eu share the same code. > > > > This does not apply to my tree at all. This file is not present anymore, > > what tree did you make it against? > > > > That's weird. It applies fine for me on today's linux-next. Ok, really wierd, it worked this time. I'll blame my email setup somehow, I was churning through lots of patches at once... thanks for checking. greg k-h ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2022-05-26 12:06 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <YEHymwsnHewzoam7@mwanda> 2022-05-18 7:00 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov 2022-05-18 7:49 ` Denis Efremov 2022-05-19 15:40 ` Greg KH 2022-05-20 3:57 ` [PATCH v5.10] staging: rtl8723bs: " Denis Efremov (Oracle) 2022-05-23 15:26 ` Greg KH 2022-05-23 17:41 ` Denis Efremov 2022-05-26 12:05 ` Greg KH 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.10-stable tree gregkh 2022-05-23 17:39 ` [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() Denis Efremov (Oracle) 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.14-stable tree gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 4.19-stable tree gregkh 2022-05-26 12:05 ` Patch "staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()" has been added to the 5.4-stable tree gregkh 2022-05-19 15:45 ` [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() Greg KH 2022-05-19 17:16 ` Dan Carpenter 2022-05-19 17:36 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).