Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp521194rdb; Tue, 19 Sep 2023 02:28:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF4x7xytXkW2J7Yh44DEf2vq9BzKM8sKIqgEWMg2rav3fcVNpvJbb8WSXUnFC5/PpsZbe6H X-Received: by 2002:a17:902:e5c4:b0:1c5:82bb:223e with SMTP id u4-20020a170902e5c400b001c582bb223emr3294637plf.67.1695115733943; Tue, 19 Sep 2023 02:28:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695115733; cv=none; d=google.com; s=arc-20160816; b=ueuKUyEWjsVmOasofzv9rMBVrxL2eP260SqXft8ZEx+Sf0ztR5txt/CfU4IebMLZ3g qH8QzwU50nGANdxjzLfXSwkH869Du2l6tJu8pHziJgkL6Ww9NVGKno5AiM9qfgeC5jGH gKdACf5/nfgwIW3dwdgoDmlFBxDgUKlfeR3jbLQ6Pt2jaBsSPjAq/Q41KTEf5rqO+qfU lBSk9o3Aca8ekWXMjzNJnUEiXh3satGY9H6BXHLEAbrhzaVhpbAYwnu8wxwGx1Ix+2wU 3GWIYa1MnqhozaeNssA6qhSV30sXNUzt2t4JOWhk3nnOjWeyzDpVzL6iJ8XXnRmgC4LV ZFNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=nt/F8zr4u5Di9AmuFkv6CXPi4hLEms5D9ZmJuC92MFE=; fh=0C1kRj8XH9ZLaG/nOwZifOTxwBiwfrQOcDbaFk3cucQ=; b=f/XqwjEdC7vR14hRv82NMowo9yQqqzk9SAb3jmtcehCEw2OkhvTnlNwv7EQ1PpAzK/ sNFCmUMwwYP3wnhocEfl5OKLyPuX4AfBan2VbSn1UVs8mFX+IRqZ7nduX43ssn11iX5j VxvTPTsjWqFvS2TYqe7CiVRqownjFnwjtqh4Z0Gadgcjl7p/nUQFjon+iVWSaZcYytfA vu0qeTLZdT/o1/R4i9Wucm3IKDpQ+EP/N0l9twhH3rjOYtUHdvz8ZTWJxThZBbeaRgkm xb62qxAP/k9dE+lNroAV4KVpgAiXSaueA6d2g58oTbovkHd55uFNyPG88PNj5+1rX8tQ dnIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mcst.ru Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id c17-20020a170903235100b001c3cbccf116si9916188plh.403.2023.09.19.02.28.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Sep 2023 02:28:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mcst.ru Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 8D05D81ADB78; Tue, 19 Sep 2023 02:28:35 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230152AbjISJ2e (ORCPT + 99 others); Tue, 19 Sep 2023 05:28:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230262AbjISJ2d (ORCPT ); Tue, 19 Sep 2023 05:28:33 -0400 X-Greylist: delayed 237 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 19 Sep 2023 02:28:24 PDT Received: from tretyak2.mcst.ru (tretyak2.mcst.ru [212.5.119.215]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24DA3F2 for ; Tue, 19 Sep 2023 02:28:24 -0700 (PDT) Received: from tretyak2.mcst.ru (localhost [127.0.0.1]) by tretyak2.mcst.ru (Postfix) with ESMTP id B3EDF102395; Tue, 19 Sep 2023 12:24:23 +0300 (MSK) Received: from frog.lab.sun.mcst.ru (frog.lab.sun.mcst.ru [176.16.4.50]) by tretyak2.mcst.ru (Postfix) with ESMTP id AEC1D101775; Tue, 19 Sep 2023 12:23:47 +0300 (MSK) Received: from artemiev-i.lab.sun.mcst.ru (avior-1 [192.168.63.223]) by frog.lab.sun.mcst.ru (8.13.4/8.12.11) with ESMTP id 38J9NkLq017473; Tue, 19 Sep 2023 12:23:47 +0300 From: Igor Artemiev To: Larry Finger Cc: Igor Artemiev , Florian Schilhabel , Greg Kroah-Hartman , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [lvc-project] [PATCH] staging: rtl8712: fix buffer overflow in r8712_xmitframe_complete() Date: Tue, 19 Sep 2023 12:23:18 +0300 Message-Id: <20230919092318.14837-1-Igor.A.Artemiev@mcst.ru> X-Mailer: git-send-email 2.39.0.152.ga5737674b6 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.39/RELEASE, bases: 20111107 #2745587, check: 20230919 notchecked X-AV-Checked: ClamAV using ClamSMTP X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 19 Sep 2023 02:28:35 -0700 (PDT) The value of pxmitframe->attrib.priority in r8712_issue_addbareq_cmd(), which dump_xframe() calls, is used to calculate the index for accessing an array of size 16. The value of pxmitframe->attrib.priority can be greater than 15, because the r8712_update_attrib() function can write a value up to 31 to attrib.priority, and r8712_xmitframe_complete() checks that pxmitframe->attrib.priority is less than 16 before calling r8712_xmitframe_coalesce(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Igor Artemiev --- drivers/staging/rtl8712/rtl8712_xmit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/rtl8712_xmit.c b/drivers/staging/rtl8712/rtl8712_xmit.c index 4cb01f590673..8a39a3c8cfcb 100644 --- a/drivers/staging/rtl8712/rtl8712_xmit.c +++ b/drivers/staging/rtl8712/rtl8712_xmit.c @@ -669,7 +669,7 @@ int r8712_xmitframe_complete(struct _adapter *padapter, */ r8712_xmit_complete(padapter, pxmitframe); } - if (res == _SUCCESS) + if (res == _SUCCESS && pxmitframe->attrib.priority <= 15) dump_xframe(padapter, pxmitframe); else r8712_free_xmitframe_ex(pxmitpriv, pxmitframe); -- 2.30.2