Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Message-ID: <855d90d7-70a2-da82-d62c-e8c030411852@oracle.com>
Date:   Wed, 18 May 2022 11:49:27 +0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.0
Subject: Re: [PATCH] staging: r8188eu: prevent ->Ssid overflow in
 rtw_wx_set_scan()
Content-Language: en-US
To:     Larry.Finger@lwfinger.net
Cc:     phil@philpotter.co.uk, gregkh@linuxfoundation.org,
        dan.carpenter@oracle.com, straube.linux@gmail.com,
        linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
        kernel-janitors@vger.kernel.org, stable <stable@vger.kernel.org>
References: <YEHymwsnHewzoam7@mwanda>
 <20220518070052.108287-1-denis.e.efremov@oracle.com>
From:   Denis Efremov <denis.e.efremov@oracle.com>
In-Reply-To: <20220518070052.108287-1-denis.e.efremov@oracle.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Q21qdWNkSkNaNVR4SFRxcXV6eHZFVGN4SEFQRUwvYjVqMTJ4dUVldjluTEcw?=
 =?utf-8?B?U3RNT0Z0VmNCWExueFc2RXJyd3lUQVllUExXSlBuUkdWbStSbzNQTzd3YkRi?=
 =?utf-8?B?ZzJWeG91cnlyRlgybTNPMitvNlJvcXczenB4aGtsMEl1b3hLR3ZLNEdPMlBS?=
 =?utf-8?B?UUpRTzlmTXZ5VTg4c0dvZ3NJRzJjWXViclI1bTR1UWNQS3J1WHdMdDBGUnlU?=
 =?utf-8?B?RTVWMk1TdWQ5NGxianBHcEVZZUx5bzVDeWdTY1h6YWpQaFBLNFVkMFBDTnpT?=
 =?utf-8?B?ODZUWVp0emVXVy9BelNQL3kxeTgycTdmWmF2WDMySEk1YThBOVlQdU1WVE9S?=
 =?utf-8?B?NXdoL2t1ajV6Nnc5R2dNNkd4Qzl0OVBaMG9QWWZBcTdzaEY2aHljc1MyNlBs?=
 =?utf-8?B?L1ZhV0dlbnVDcVFpMTcvT2pJZStjN0NTU3ZEdEFPazljcXlMWkxxWXlUTXV1?=
 =?utf-8?B?K1lkc2tDaXdxMTRGZVlDSHNFNThMYUV2ZGZjRE0xS2VRTFh5OEt1V2taNHFu?=
 =?utf-8?B?aWhFZStvQlh5bjV0c0wxUldsZDZYVTNkcm41bWhJaDZPeHduTHZaRU1Rd3NB?=
 =?utf-8?B?dWtBS0VHblJTVWhhZFEwR0JwNTFSQnlrRFdsSEYwTnlBc1Jib09uZThWaFNI?=
 =?utf-8?B?cDhabWVsTlY3OTMvc2tBV0xKUFNzOTBXSWVOM25NSE1SLytraEp4d1Q3RFU0?=
 =?utf-8?B?QmI3enVXeGtuMFl3Zzk2dVNzV285WnUyZ3pYbUt3S3JvbkkxVXV6SUx1SDhV?=
 =?utf-8?B?QnQwa0o5NmlQenpKYUJyQ3dkc0d3K2JaK0RQaGhiL1Z6Z3RQOGZ0dkNyUk15?=
 =?utf-8?B?bDFkaEVJdS8vdXRFV0NvbHlEVzFqenUyWkJIbkpSNlVBcjdVbjVJcDBlajhy?=
 =?utf-8?B?UEdrRVQwd1I1VDVNOWovQ01uNCtzbjlwZFpSTFJ5Nks2VFFTaWphNDdsczM4?=
 =?utf-8?B?SGZIemxLZks3dHNOZGpkY28rMlFxNW9QaXovSm5kZURQeEhrUkcreDJwTVBo?=
 =?utf-8?B?ZlE3ZVFQeEpJL0haQlJKRmFvMXlPbFZNSlZBa3Z2d3ozc05IT1V3ODNhWnpX?=
 =?utf-8?B?aVF6RVp4dkl1V1ZBL3RnRXRSeWxBS1lsY2pWSXlsTUZ3K29UUHVNU2N5RFdS?=
 =?utf-8?B?aTZTdjdLRllWRmNoUSt6ZDdGaHJrN3hOT2pKUmtGWmNreHhyQkEyOFNaeG5F?=
 =?utf-8?B?MlVPNEx4aTdUcUY3ZDk1aGllZ3NmOFBYc3doSXRMV1Q3WFltSDYyRlpBU2t2?=
 =?utf-8?B?MUJWUEdIa3BOMm45T3o1NlpRRk9jcUxsL3hwbWVkdzMwZlZUSEYySDhEM3Bu?=
 =?utf-8?B?aW1Bc05PUDZONFUySmpLNjRnY2J1QzEyenJRaktocXRUVUs4WXNRd3NEdjhP?=
 =?utf-8?B?Q21FT2Q5UXRrT3BUMzhQNEs5enhsMVVIMHRZM21hbW05c3lEejVJd1d2bHhw?=
 =?utf-8?B?N1J3MFlkR2ZnMEJjVzdhb3pFU0pNVVJVNmdhbDdKeU01UlZ1dncwMU85bW9v?=
 =?utf-8?B?VGV6RXQxYWhSSXhJMC9iUklTZm5JNVowQWIxbGU4UW9UUFRmSmdIOHB1aVZ3?=
 =?utf-8?B?NklwK0oybThmYXAvQnE1eDRuN1hIUDQvTkRFNFlXYVdQUHFGbWgrdlhPSTdT?=
 =?utf-8?B?THBsbit3MkZRQnViUUowTFdWNEZMc21mY2NqT01kMnVhOGozZytQY2RqRGdx?=
 =?utf-8?B?NWdCUzkreXdXOXU5RTVaMDI1K1dlaDFoQXpYemUzMzhnVmtzZzAxTUU5SXpU?=
 =?utf-8?B?bFJRWk9Kam5LbDQ1ZDFDaW9OMVJwZ3hmTy9QU3pPZ2JNVHdKYlRJYXE0a3RQ?=
 =?utf-8?B?ZDQvZEhHTWVNbHh1cVViMTVZcGtsUy9NOGJ2M3lFWjRtSXVMeDYyRW9IMWxy?=
 =?utf-8?B?YWVYZ2pnOWF1NVY3SU1nYUtUT0hRYUp3NnBzUVV5V2p6dU12RUF6NEF0NE9H?=
 =?utf-8?B?VmpMdkNrcVdVVW1NRWw5ZXNGL3ZUQktybm1vb0hwaWhTeVpyREh1QlFSVnl4?=
 =?utf-8?B?N2Z0WVE4b0lrS0poeTFHL3BsRkpndWxuNmxacVR4N3hwWTNWbmxGZkp0RFlR?=
 =?utf-8?B?S3QvVUVmdlB4MGxUQnJDcDU3TzUra1NRZ1drRUFsSm5QeHlkcndLZi9jZU5H?=
 =?utf-8?B?RFVDVmR3ZDFNNklRdmx6WFZWMmlYaktwMDFYMDhWcmllU3ZkN3N1Ym5YTDJH?=
 =?utf-8?B?Mk1VTXdlMlRQalRyNWZaWTJLTUN0MTdMNkJoZkdxZE4xQWJHUjBHTlJYbzhJ?=
 =?utf-8?B?SEhOQk9rd3AvODdyMnBGL0JSdHYra2xTaStBZ2JwRkxaMWVNdFNYV25PWXFH?=
 =?utf-8?B?WXpxaG1sQ2pXQ3JNYUV5OG9WVHJsVElNTStyR090dkRpT2ZaajdiREFZUXBP?=
 =?utf-8?Q?osVyMWxiUbzlRQIM=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b5507b79-8814-42eb-4b0d-08da38a2f5b4
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4638.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2022 07:49:38.8357
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: gXpj/9IO1snFI53SrYbsq8nIxVkQJwKWQ4bEAo02H2EmuTa9l2ZO9fXAFAU3evscXVXkPQ2uogQfgikrL9nqsRAqukaW55YuvZieiLzGjHQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB3913
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486,18.0.874
 definitions=2022-05-18_02:2022-05-17,2022-05-18 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 mlxscore=0
 phishscore=0 bulkscore=0 mlxlogscore=999 adultscore=0 suspectscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000
 definitions=main-2205180038
X-Proofpoint-GUID: UT7QzZDG6q0t-bxvw4_c--cc-KyqgkUs
X-Proofpoint-ORIG-GUID: UT7QzZDG6q0t-bxvw4_c--cc-KyqgkUs
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 5/18/22 11:00, Denis Efremov wrote:
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->Ssid[] array.
> 
> Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
> ---
> 
> This patch is a copy of Dan's 74b6b20df8cf (CVE-2021-28660).
> Drivers r8188eu and rtl8188eu share the same code.

I also found same code pattern in rtl8723bs driver in
stable kernels 5.10, 5.4, 4.19, 4.14.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c?h=linux-5.10.y#n1354
I can send the same fix to stable trees if appropriate.

> 
>  drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> index eb9375b0c660..a2692ce02bc2 100644
> --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> @@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,
>  						break;
>  					}
>  					sec_len = *(pos++); len -= 1;
> -					if (sec_len > 0 && sec_len <= len) {
> +					if (sec_len > 0 &&
> +					    sec_len <= len &&
> +					    sec_len <= 32) {
>  						ssid[ssid_index].SsidLength = sec_len;
> -						memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
> +						memcpy(ssid[ssid_index].Ssid, pos, sec_len);
>  						ssid_index++;
>  					}
>  					pos += sec_len;