[PATCH 0/1][SRU][B/D] CVE-2019-17666: rtl8822b buffer overflow

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][B/D] CVE-2019-17666: rtl8822b buffer overflow

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html

 rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
 Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
 to a buffer overflow.

I've followed the suggestion from the rtlwifi maintainer here:

 https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../

A fix is not yet available upstream, which is why this is labeled a
SAUCE patch.

Clean cherry pick to all releases. Build tested with clean build logs.

Tyler

Tyler Hicks (1):
  UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code

 drivers/staging/rtlwifi/ps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code

Tyler Hicks-2
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the
two.

CVE-2019-17666

Reported-by: Nicolas Waisman <[hidden email]>
Suggested-by: Ping-Ke Shih <[hidden email]>
[tyhicks: Reuse nearly all of a commit message written by Laura Abbott]
Signed-off-by: Tyler Hicks <[hidden email]>
---
 drivers/staging/rtlwifi/ps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtlwifi/ps.c b/drivers/staging/rtlwifi/ps.c
index 7856fc5d10bd..11d1d497e3a5 100644
--- a/drivers/staging/rtlwifi/ps.c
+++ b/drivers/staging/rtlwifi/ps.c
@@ -768,7 +768,7 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
  noa_len);
  return;
  }
- noa_num = (noa_len - 2) / 13;
+ noa_num = min((noa_len - 2) / 13, P2P_MAX_NOA_NUM);
  noa_index = ie[3];
  if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
     P2P_PS_NONE || noa_index != p2pinfo->noa_index) {
@@ -861,7 +861,7 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
  noa_len);
  return;
  }
- noa_num = (noa_len - 2) / 13;
+ noa_num = min((noa_len - 2) / 13, P2P_MAX_NOA_NUM);
  noa_index = ie[3];
  if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
     P2P_PS_NONE || noa_index != p2pinfo->noa_index) {
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][B/D] CVE-2019-17666: rtl8822b buffer overflow

Andrea Righi
In reply to this post by Tyler Hicks-2
On Fri, Oct 18, 2019 at 07:13:33AM +0000, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code
>
>  drivers/staging/rtlwifi/ps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Acked-by: Andrea Righi <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][B/D] CVE-2019-17666: rtl8822b buffer overflow

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 18.10.19 09:13, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code
>
>  drivers/staging/rtlwifi/ps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code

Kleber Souza
In reply to this post by Tyler Hicks-2
On 18.10.19 09:13, Tyler Hicks wrote:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the
> two.
>
> CVE-2019-17666
>
> Reported-by: Nicolas Waisman <[hidden email]>
> Suggested-by: Ping-Ke Shih <[hidden email]>
> [tyhicks: Reuse nearly all of a commit message written by Laura Abbott]
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  drivers/staging/rtlwifi/ps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/rtlwifi/ps.c b/drivers/staging/rtlwifi/ps.c
> index 7856fc5d10bd..11d1d497e3a5 100644
> --- a/drivers/staging/rtlwifi/ps.c
> +++ b/drivers/staging/rtlwifi/ps.c
> @@ -768,7 +768,7 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>   noa_len);
>   return;
>   }
> - noa_num = (noa_len - 2) / 13;
> + noa_num = min((noa_len - 2) / 13, P2P_MAX_NOA_NUM);
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>      P2P_PS_NONE || noa_index != p2pinfo->noa_index) {
> @@ -861,7 +861,7 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>   noa_len);
>   return;
>   }
> - noa_num = (noa_len - 2) / 13;
> + noa_num = min((noa_len - 2) / 13, P2P_MAX_NOA_NUM);
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>      P2P_PS_NONE || noa_index != p2pinfo->noa_index) {
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][SRU][B/D] CVE-2019-17666: rtl8822b buffer overflow

Khaled Elmously
In reply to this post by Tyler Hicks-2
On 2019-10-18 07:13:33 , Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code
>
>  drivers/staging/rtlwifi/ps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team