2022-05-18 07:15:26

by Denis Efremov

[permalink] [raw]
Subject: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()

This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->Ssid[] array.

Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
Cc: stable <[email protected]>
Signed-off-by: Denis Efremov <[email protected]>
---

This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
Drivers r8188eu and rtl8188eu share the same code.

drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
index eb9375b0c660..a2692ce02bc2 100644
--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
@@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,
break;
}
sec_len = *(pos++); len -= 1;
- if (sec_len > 0 && sec_len <= len) {
+ if (sec_len > 0 &&
+ sec_len <= len &&
+ sec_len <= 32) {
ssid[ssid_index].SsidLength = sec_len;
- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
+ memcpy(ssid[ssid_index].Ssid, pos, sec_len);
ssid_index++;
}
pos += sec_len;
--
2.35.3



2022-05-18 07:50:10

by Denis Efremov

[permalink] [raw]
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()



On 5/18/22 11:00, Denis Efremov wrote:
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->Ssid[] array.
>
> Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> Cc: stable <[email protected]>
> Signed-off-by: Denis Efremov <[email protected]>
> ---
>
> This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> Drivers r8188eu and rtl8188eu share the same code.

I also found same code pattern in rtl8723bs driver in
stable kernels 5.10, 5.4, 4.19, 4.14.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c?h=linux-5.10.y#n1354
I can send the same fix to stable trees if appropriate.

>
> drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> index eb9375b0c660..a2692ce02bc2 100644
> --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> @@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,
> break;
> }
> sec_len = *(pos++); len -= 1;
> - if (sec_len > 0 && sec_len <= len) {
> + if (sec_len > 0 &&
> + sec_len <= len &&
> + sec_len <= 32) {
> ssid[ssid_index].SsidLength = sec_len;
> - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
> + memcpy(ssid[ssid_index].Ssid, pos, sec_len);
> ssid_index++;
> }
> pos += sec_len;

2022-05-19 22:59:13

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()

On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote:
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->Ssid[] array.
>
> Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> Cc: stable <[email protected]>
> Signed-off-by: Denis Efremov <[email protected]>
> ---
>
> This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> Drivers r8188eu and rtl8188eu share the same code.

This does not apply to my tree at all. This file is not present anymore,
what tree did you make it against?

confused,

greg k-h

2022-05-20 21:54:49

by Dan Carpenter

[permalink] [raw]
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()

On Thu, May 19, 2022 at 05:45:31PM +0200, Greg KH wrote:
> On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote:
> > This code has a check to prevent read overflow but it needs another
> > check to prevent writing beyond the end of the ->Ssid[] array.
> >
> > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> > Cc: stable <[email protected]>
> > Signed-off-by: Denis Efremov <[email protected]>
> > ---
> >
> > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> > Drivers r8188eu and rtl8188eu share the same code.
>
> This does not apply to my tree at all. This file is not present anymore,
> what tree did you make it against?
>

That's weird. It applies fine for me on today's linux-next.

regards,
dan carpenter


2022-05-21 05:04:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()

On Wed, May 18, 2022 at 11:49:27AM +0400, Denis Efremov wrote:
>
>
> On 5/18/22 11:00, Denis Efremov wrote:
> > This code has a check to prevent read overflow but it needs another
> > check to prevent writing beyond the end of the ->Ssid[] array.
> >
> > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> > Cc: stable <[email protected]>
> > Signed-off-by: Denis Efremov <[email protected]>
> > ---
> >
> > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> > Drivers r8188eu and rtl8188eu share the same code.
>
> I also found same code pattern in rtl8723bs driver in
> stable kernels 5.10, 5.4, 4.19, 4.14.
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c?h=linux-5.10.y#n1354
> I can send the same fix to stable trees if appropriate.

Please do!

thanks,

greg k-h

2022-05-23 06:06:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()

On Thu, May 19, 2022 at 08:16:28PM +0300, Dan Carpenter wrote:
> On Thu, May 19, 2022 at 05:45:31PM +0200, Greg KH wrote:
> > On Wed, May 18, 2022 at 11:00:52AM +0400, Denis Efremov wrote:
> > > This code has a check to prevent read overflow but it needs another
> > > check to prevent writing beyond the end of the ->Ssid[] array.
> > >
> > > Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> > > Cc: stable <[email protected]>
> > > Signed-off-by: Denis Efremov <[email protected]>
> > > ---
> > >
> > > This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> > > Drivers r8188eu and rtl8188eu share the same code.
> >
> > This does not apply to my tree at all. This file is not present anymore,
> > what tree did you make it against?
> >
>
> That's weird. It applies fine for me on today's linux-next.

Ok, really wierd, it worked this time. I'll blame my email setup
somehow, I was churning through lots of patches at once...

thanks for checking.

greg k-h

2022-05-23 07:16:24

by Denis Efremov (Oracle)

[permalink] [raw]
Subject: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()

This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->Ssid[] array.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <[email protected]>
Signed-off-by: Denis Efremov (Oracle) <[email protected]>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 902ac8169948..083ff72976cf 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,

sec_len = *(pos++); len -= 1;

- if (sec_len > 0 && sec_len <= len) {
+ if (sec_len > 0 &&
+ sec_len <= len &&
+ sec_len <= 32) {
ssid[ssid_index].SsidLength = sec_len;
- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
+ memcpy(ssid[ssid_index].Ssid, pos, sec_len);
/* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */
/* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */
ssid_index++;
--
2.35.3


2022-05-23 15:26:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()

On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->Ssid[] array.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable <[email protected]>
> Signed-off-by: Denis Efremov (Oracle) <[email protected]>
> ---
> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)

And only 5.10 needs this? What about all other kernel branches?

thanks,

greg k-h

2022-05-23 18:20:00

by Denis Efremov (Oracle)

[permalink] [raw]
Subject: [PATCH v5.4-v4.14] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()

This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->Ssid[] array.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <[email protected]>
Signed-off-by: Denis Efremov (Oracle) <[email protected]>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index d8d44fd9a92f..ea2fd3a73c3a 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,

sec_len = *(pos++); len-= 1;

- if (sec_len>0 && sec_len<=len) {
+ if (sec_len > 0 &&
+ sec_len <= len &&
+ sec_len <= 32) {
ssid[ssid_index].SsidLength = sec_len;
- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
+ memcpy(ssid[ssid_index].Ssid, pos, sec_len);
/* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */
/* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */
ssid_index++;
--
2.36.1


2022-05-23 18:24:26

by Denis Efremov (Oracle)

[permalink] [raw]
Subject: Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()

Hi,

On 5/23/22 19:26, Greg KH wrote:
> On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
>> This code has a check to prevent read overflow but it needs another
>> check to prevent writing beyond the end of the ->Ssid[] array.
>>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable <[email protected]>
>> Signed-off-by: Denis Efremov (Oracle) <[email protected]>
>> ---
>> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> And only 5.10 needs this? What about all other kernel branches?
>

From 5.10, 5.4, 4.19, to 4.14.

There is a small spaces conflict in 5.4-4.14 kernels because of
c77761d660a6 staging: rtl8723bs: Fix spacing issues

I sent another patch to handle it.

Thanks,
Denis

2022-05-28 11:40:43

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH v5.10] staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()

On Mon, May 23, 2022 at 09:41:09PM +0400, Denis Efremov wrote:
> Hi,
>
> On 5/23/22 19:26, Greg KH wrote:
> > On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
> >> This code has a check to prevent read overflow but it needs another
> >> check to prevent writing beyond the end of the ->Ssid[] array.
> >>
> >> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> >> Cc: stable <[email protected]>
> >> Signed-off-by: Denis Efremov (Oracle) <[email protected]>
> >> ---
> >> drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
> >> 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > And only 5.10 needs this? What about all other kernel branches?
> >
>
> >From 5.10, 5.4, 4.19, to 4.14.
>
> There is a small spaces conflict in 5.4-4.14 kernels because of
> c77761d660a6 staging: rtl8723bs: Fix spacing issues
>
> I sent another patch to handle it.

Thanks, all now queued up.

greg k-h