From: Larry Finger <Larry.Finger@lwfinger.net>
To: gregkh@linuxfoundation.org
Cc: netdev@vger.kernel.org, devel@driverdev.osuosl.org,
Larry Finger <Larry.Finger@lwfinger.net>,
Pietro Oliva <pietroliva@gmail.com>,
Stable <stable@vger.kernel.org>
Subject: [PATCH 2/6] staging: rtl8723bs: Fix potential security hole
Date: Mon, 10 Feb 2020 12:02:31 -0600 [thread overview]
Message-ID: <20200210180235.21691-3-Larry.Finger@lwfinger.net> (raw)
In-Reply-To: <20200210180235.21691-1-Larry.Finger@lwfinger.net>
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index db6528a01229..3128766dd50e 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -4207,7 +4207,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
/* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */
- if (!p->pointer) {
+ if (!p->pointer || p->length != sizeof(*param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
WARNING: multiple messages have this Message-ID (diff)
From: Larry Finger <Larry.Finger@lwfinger.net>
To: gregkh@linuxfoundation.org
Cc: devel@driverdev.osuosl.org, netdev@vger.kernel.org,
Stable <stable@vger.kernel.org>,
Pietro Oliva <pietroliva@gmail.com>,
Larry Finger <Larry.Finger@lwfinger.net>
Subject: [PATCH 2/6] staging: rtl8723bs: Fix potential security hole
Date: Mon, 10 Feb 2020 12:02:31 -0600 [thread overview]
Message-ID: <20200210180235.21691-3-Larry.Finger@lwfinger.net> (raw)
In-Reply-To: <20200210180235.21691-1-Larry.Finger@lwfinger.net>
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index db6528a01229..3128766dd50e 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -4207,7 +4207,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
/* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */
- if (!p->pointer) {
+ if (!p->pointer || p->length != sizeof(*param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2020-02-10 18:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger
2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` Larry Finger [this message]
2020-02-10 18:02 ` [PATCH 2/6] staging: rtl8723bs: " Larry Finger
2020-02-11 14:17 ` Sasha Levin
2020-02-10 18:02 ` [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory Larry Finger
2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger
2020-02-10 18:02 ` Larry Finger
2020-02-10 18:27 ` Greg KH
2020-02-10 18:27 ` Greg KH
2020-02-10 18:02 ` [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements Larry Finger
2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 6/6] staging: rtl8723bs: Remove " Larry Finger
2020-02-10 18:02 ` Larry Finger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200210180235.21691-3-Larry.Finger@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=netdev@vger.kernel.org \
--cc=pietroliva@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.