From: Larry Finger <Larry.Finger@lwfinger.net> To: gregkh@linuxfoundation.org Cc: netdev@vger.kernel.org, devel@driverdev.osuosl.org, Larry Finger <Larry.Finger@lwfinger.net>, Pietro Oliva <pietroliva@gmail.com>, Stable <stable@vger.kernel.org> Subject: [PATCH 2/6] staging: rtl8723bs: Fix potential security hole Date: Mon, 10 Feb 2020 12:02:31 -0600 [thread overview] Message-ID: <20200210180235.21691-3-Larry.Finger@lwfinger.net> (raw) In-Reply-To: <20200210180235.21691-1-Larry.Finger@lwfinger.net> In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed to be at least the size of struct ieee_param size, but this assumption is never checked. This could result in out-of-bounds read/write on kernel heap in case a p->length less than the size of struct ieee_param is specified by the user. If p->length is allowed to be greater than the size of the struct, then a malicious user could be wasting kernel memory. Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver"). Reported by: Pietro Oliva <pietroliva@gmail.com> Cc: Pietro Oliva <pietroliva@gmail.com> Cc: Stable <stable@vger.kernel.org> Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver"). Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index db6528a01229..3128766dd50e 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -4207,7 +4207,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p) /* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */ - if (!p->pointer) { + if (!p->pointer || p->length != sizeof(*param)) { ret = -EINVAL; goto out; } -- 2.25.0
WARNING: multiple messages have this Message-ID (diff)
From: Larry Finger <Larry.Finger@lwfinger.net> To: gregkh@linuxfoundation.org Cc: devel@driverdev.osuosl.org, netdev@vger.kernel.org, Stable <stable@vger.kernel.org>, Pietro Oliva <pietroliva@gmail.com>, Larry Finger <Larry.Finger@lwfinger.net> Subject: [PATCH 2/6] staging: rtl8723bs: Fix potential security hole Date: Mon, 10 Feb 2020 12:02:31 -0600 [thread overview] Message-ID: <20200210180235.21691-3-Larry.Finger@lwfinger.net> (raw) In-Reply-To: <20200210180235.21691-1-Larry.Finger@lwfinger.net> In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed to be at least the size of struct ieee_param size, but this assumption is never checked. This could result in out-of-bounds read/write on kernel heap in case a p->length less than the size of struct ieee_param is specified by the user. If p->length is allowed to be greater than the size of the struct, then a malicious user could be wasting kernel memory. Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver"). Reported by: Pietro Oliva <pietroliva@gmail.com> Cc: Pietro Oliva <pietroliva@gmail.com> Cc: Stable <stable@vger.kernel.org> Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver"). Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index db6528a01229..3128766dd50e 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -4207,7 +4207,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p) /* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */ - if (!p->pointer) { + if (!p->pointer || p->length != sizeof(*param)) { ret = -EINVAL; goto out; } -- 2.25.0 _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2020-02-10 18:02 UTC|newest] Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger 2020-02-10 18:02 ` Larry Finger 2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger 2020-02-10 18:02 ` Larry Finger 2020-02-10 18:02 ` Larry Finger [this message] 2020-02-10 18:02 ` [PATCH 2/6] staging: rtl8723bs: " Larry Finger 2020-02-11 14:17 ` Sasha Levin 2020-02-10 18:02 ` [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory Larry Finger 2020-02-10 18:02 ` Larry Finger 2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger 2020-02-10 18:02 ` Larry Finger 2020-02-10 18:27 ` Greg KH 2020-02-10 18:27 ` Greg KH 2020-02-10 18:02 ` [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements Larry Finger 2020-02-10 18:02 ` Larry Finger 2020-02-10 18:02 ` [PATCH 6/6] staging: rtl8723bs: Remove " Larry Finger 2020-02-10 18:02 ` Larry Finger
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200210180235.21691-3-Larry.Finger@lwfinger.net \ --to=larry.finger@lwfinger.net \ --cc=devel@driverdev.osuosl.org \ --cc=gregkh@linuxfoundation.org \ --cc=netdev@vger.kernel.org \ --cc=pietroliva@gmail.com \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.