From: Fabio Aiuto <fabioaiuto83@gmail.com>
To: iLifetruth <yixiaonn@gmail.com>
Cc: gregkh@linuxfoundation.org, ross.schm.dev@gmail.com,
marcocesati@gmail.com, insafonov@gmail.com,
linux-kernel@vger.kernel.org, Qiang Liu <cyruscyliu@gmail.com>,
yajin@vm-kernel.org, hdegoede@redhat.com,
Larry.Finger@lwfinger.net, Martin Kaiser <martin@kaiser.cx>,
Phillip Potter <phil@philpotter.co.uk>,
Michael Straube <straube.linux@gmail.com>,
fmdefrancesco@gmail.com
Subject: Re: staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs
Date: Tue, 24 Aug 2021 09:40:56 +0200 [thread overview]
Message-ID: <20210824074055.GA1421@agape.jhs> (raw)
In-Reply-To: <CABv53a_9GstHzLbbbghFxU_YDxC0ckh3+bGu4RqAmGL39BHMMg@mail.gmail.com>
Hello,
On Tue, Aug 24, 2021 at 03:04:04PM +0800, iLifetruth wrote:
> Here are the fixes and the contents of the patch file we suggest.
>
> [PATCH]staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan()
>
> This fixing patch is ported from the upstream commit
> 74b6b20df8cf(staging: rtl8188eu: prevent ->ssid overflow in
> rtw_wx_set_scan()) which fixes on another driver numbered rtl8188eu.
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->ssid[] array in
> driver rtl8723bs.
>
> ---
> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> index f95000df8942..3b859b71bf43 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> @@ -1222,9 +1222,9 @@ static int rtw_wx_set_scan(struct net_device
> *dev, struct iw_request_info *a,
>
> sec_len = *(pos++); len -= 1;
>
> - if (sec_len > 0 && sec_len <= len) {
> + if (sec_len > 0 && sec_len <= len &&
> sec_len<= 32) {
> ssid[ssid_index].SsidLength = sec_len;
> - memcpy(ssid[ssid_index].Ssid,
> pos, ssid[ssid_index].SsidLength);
> + memcpy(ssid[ssid_index].Ssid,
> pos, sec_len);
> ssid_index++;
> }
>
> --
>
> Thanks for your confirmation,
> - iLifetruth
>
the patch looks fine. Just some points:
- If the patch related to wext support removal will
be accepted, the patch isn't necessary. So I will wait
until I know the community-maintainer decision.
>
> On Tue, Aug 24, 2021 at 10:07 AM iLifetruth <yixiaonn@gmail.com> wrote:
> >
> > I haven't committed the patch yet since the Linux staging tree may
> > seem special. It's not clear to me where to submit the patch. So could
> > you please fix it?
> >
> > Regards and thanks for your confirmation,
> > - iLifetruth
> >
> >
> > On Tue, Aug 24, 2021 at 1:08 AM Fabio Aiuto <fabioaiuto83@gmail.com> wrote:
> > >
> > > Hello,
> > >
> > > On Mon, Aug 23, 2021 at 11:19:09PM +0800, iLifetruth wrote:
> > > > Hi, in the latest version of Linux staging tree, we may have found an
> > > > unfixed security bug in the staging/driver/rtl8723bs related to the
> > > > CVE-2021-28660. Now, we would like to contact you to confirm this
> > > > problem.
> > > >
> > > > ===========
> > > > Here is the description of CVE-2021-28660:
> > > >
> > > > "It was discovered that the rtl8188eu WiFi driver did not correctly
> > > > limit the length of SSIDs copied into scan results. An attacker within
> > > > WiFi range could use this to cause a denial of service (crash or
> > > > memory corruption) or possibly to execute code on a vulnerable
> > > > system."
> > > >
> > > > ===========
> > > > The staging driver "rtl8188eu" was fixed by commit
> > > > 74b6b20df8cfe90ada777d621b54c32e69e27cd7 on 2021-03-10.
- The driver rtl8188eu is deprecated. Now exists r8188eu which has
the same security bug, so it needs to be fixed. Again feel free
to submit your own patch.
- If you decide to submit your own patch I suggest to put
your full name in the email address as you submitted a legal
document.
vim 409+ Documentation/process/submitting-patches.rst
> > > >
> > > > However, in another similar staging driver numbered "rtl8723bs", a
> > > > function named “rtw_wx_set_scan” remains the same problem unfixed. And
> > > > it is detected in the
> > > > “drivers/staging/rtl8723bs/os_dep/ioctl_linux.c#Line1354" without
> > > > checking to prevent writing beyond the end of the ->ssid[] array.
> > > >
> > > > Therefore, shall we port the same fix from RTL8188EU to RTL8723BS?
> > >
> > > I think it's a good idea, moreover I've just sent a patch series
> > > aimed at removing that piece of code for it belongs to very
> > > old wext implementation.
> > >
> > > But until it's not accepted by the maintainer that security bug
> > > is present and harmful. If you fix it thank you, if you don't
> > > thank you for reporting this, I will fix as soon as possible.
> > >
> > > >
> > > > Thank you!
> > >
> > > thank you,
> > >
> > > fabio
thank you for your report,
fabio
next prev parent reply other threads:[~2021-08-24 7:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABv53a_q4jzsXib7ovRs=eOwqcQ-oKb8c7DA7uUSPf+0tt6aog@mail.gmail.com>
[not found] ` <20210823170624.GA1420@agape.jhs>
2021-08-24 2:07 ` staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs iLifetruth
2021-08-24 7:04 ` iLifetruth
2021-08-24 7:28 ` Greg KH
2021-08-24 7:40 ` Fabio Aiuto [this message]
2021-08-24 7:46 ` Fabio Aiuto
2021-08-24 8:47 ` iLifetruth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210824074055.GA1421@agape.jhs \
--to=fabioaiuto83@gmail.com \
--cc=Larry.Finger@lwfinger.net \
--cc=cyruscyliu@gmail.com \
--cc=fmdefrancesco@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=insafonov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcocesati@gmail.com \
--cc=martin@kaiser.cx \
--cc=phil@philpotter.co.uk \
--cc=ross.schm.dev@gmail.com \
--cc=straube.linux@gmail.com \
--cc=yajin@vm-kernel.org \
--cc=yixiaonn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).