2023-09-19 09:28:54

by Igor Artemiev

[permalink] [raw]
Subject: [lvc-project] [PATCH] staging: rtl8712: fix buffer overflow in r8712_xmitframe_complete()

The value of pxmitframe->attrib.priority in r8712_issue_addbareq_cmd(),
which dump_xframe() calls, is used to calculate the index for accessing
an array of size 16. The value of pxmitframe->attrib.priority can be
greater than 15, because the r8712_update_attrib() function can write
a value up to 31 to attrib.priority, and r8712_xmitframe_complete()
checks that pxmitframe->attrib.priority is less than 16 before
calling r8712_xmitframe_coalesce().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Igor Artemiev <[email protected]>
---
drivers/staging/rtl8712/rtl8712_xmit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8712/rtl8712_xmit.c b/drivers/staging/rtl8712/rtl8712_xmit.c
index 4cb01f590673..8a39a3c8cfcb 100644
--- a/drivers/staging/rtl8712/rtl8712_xmit.c
+++ b/drivers/staging/rtl8712/rtl8712_xmit.c
@@ -669,7 +669,7 @@ int r8712_xmitframe_complete(struct _adapter *padapter,
*/
r8712_xmit_complete(padapter, pxmitframe);
}
- if (res == _SUCCESS)
+ if (res == _SUCCESS && pxmitframe->attrib.priority <= 15)
dump_xframe(padapter, pxmitframe);
else
r8712_free_xmitframe_ex(pxmitpriv, pxmitframe);
--
2.30.2


2023-10-06 13:37:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [lvc-project] [PATCH] staging: rtl8712: fix buffer overflow in r8712_xmitframe_complete()

On Tue, Sep 19, 2023 at 12:23:18PM +0300, Igor Artemiev wrote:
> The value of pxmitframe->attrib.priority in r8712_issue_addbareq_cmd(),
> which dump_xframe() calls, is used to calculate the index for accessing
> an array of size 16. The value of pxmitframe->attrib.priority can be
> greater than 15, because the r8712_update_attrib() function can write
> a value up to 31 to attrib.priority, and r8712_xmitframe_complete()
> checks that pxmitframe->attrib.priority is less than 16 before
> calling r8712_xmitframe_coalesce().

But that number comes from the hardware, so how can it ever be larger
than 15?

> Found by Linux Verification Center (linuxtesting.org) with SVACE.

How was this tested to verify that it can be triggered and that this
change solves anything?

You have read the kernel documentation for what is required when using
"research tools" like this, right?

thanks,

greg k-h