[PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html

 rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
 Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
 to a buffer overflow.

I've followed the suggestion from the rtlwifi maintainer here:

 https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../

A fix is not yet available upstream, which is why this is labeled a
SAUCE patch.

Clean cherry pick to all releases. Build tested with clean build logs.

Tyler

Tyler Hicks (1):
  UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code

 drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code

Tyler Hicks-2
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the
two.

CVE-2019-17666

Reported-by: Nicolas Waisman <[hidden email]>
Suggested-by: Ping-Ke Shih <[hidden email]>
[tyhicks: Reuse nearly all of a commit message written by Laura Abbott]
Signed-off-by: Tyler Hicks <[hidden email]>
---
 drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..3b79c25bc376 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -753,7 +753,8 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
  noa_len);
  return;
  } else {
- noa_num = (noa_len - 2) / 13;
+ noa_num = min((noa_len - 2) / 13,
+      P2P_MAX_NOA_NUM);
  }
  noa_index = ie[3];
  if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -847,7 +848,8 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
  noa_len);
  return;
  } else {
- noa_num = (noa_len - 2) / 13;
+ noa_num = min((noa_len - 2) / 13,
+      P2P_MAX_NOA_NUM);
  }
  noa_index = ie[3];
  if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Andrea Righi
In reply to this post by Tyler Hicks-2
On Fri, Oct 18, 2019 at 07:13:02AM +0000, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code
>
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

Looks like a safe change to me.

Acked-by: Andrea Righi <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 18.10.19 09:13, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code
>
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code

Kleber Souza
In reply to this post by Tyler Hicks-2
On 18.10.19 09:13, Tyler Hicks wrote:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the
> two.
>
> CVE-2019-17666
>
> Reported-by: Nicolas Waisman <[hidden email]>
> Suggested-by: Ping-Ke Shih <[hidden email]>
> [tyhicks: Reuse nearly all of a commit message written by Laura Abbott]
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..3b79c25bc376 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -753,7 +753,8 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>   noa_len);
>   return;
>   } else {
> - noa_num = (noa_len - 2) / 13;
> + noa_num = min((noa_len - 2) / 13,
> +      P2P_MAX_NOA_NUM);
>   }
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -847,7 +848,8 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>   noa_len);
>   return;
>   } else {
> - noa_num = (noa_len - 2) / 13;
> + noa_num = min((noa_len - 2) / 13,
> +      P2P_MAX_NOA_NUM);
>   }
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Alex Murray
In reply to this post by Tyler Hicks-2

On Fri, 2019-10-18 at 17:43:02 +1030, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code
>
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

The P2P standard does not impose a limit on the number of NOA
descriptors within a frame - so the P2P_MAX_NOA_NUM is an artificial
limit - in which case it seems to make most sense to use min() as you
have done as and was suggested by the rtlwifi maintainer, rather than
dropping the entire frame as Laura did in her original patch.

However I notice that Laura now has an updated patch
https://lkml.org/lkml/2019/10/18/557 that does _not_ use min() but does
the size comparison and clamping directly. This has been queued for 5.4
- https://lkml.org/lkml/2019/10/20/21 - so perhaps it would be worth
resubmitting this patch based on her latest upstream patch?

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Tyler Hicks-2
On 2019-10-21 09:24:32, Alex Murray wrote:

>
> On Fri, 2019-10-18 at 17:43:02 +1030, Tyler Hicks wrote:
>
> > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
> >
> >  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
> >  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
> >  to a buffer overflow.
> >
> > I've followed the suggestion from the rtlwifi maintainer here:
> >
> >  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
> >
> > A fix is not yet available upstream, which is why this is labeled a
> > SAUCE patch.
> >
> > Clean cherry pick to all releases. Build tested with clean build logs.
> >
> > Tyler
> >
> > Tyler Hicks (1):
> >   UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code
> >
> >  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
>
> The P2P standard does not impose a limit on the number of NOA
> descriptors within a frame - so the P2P_MAX_NOA_NUM is an artificial
> limit - in which case it seems to make most sense to use min() as you
> have done as and was suggested by the rtlwifi maintainer, rather than
> dropping the entire frame as Laura did in her original patch.

Thanks for the review!

>
> However I notice that Laura now has an updated patch
> https://lkml.org/lkml/2019/10/18/557 that does _not_ use min() but does
> the size comparison and clamping directly. This has been queued for 5.4
> - https://lkml.org/lkml/2019/10/20/21 - so perhaps it would be worth
> resubmitting this patch based on her latest upstream patch?

I think that min() is still a fine approach. It was even suggested as a
cleanup to v2:

 https://lore.kernel.org/netdev/871rv9xb2l.fsf@.../

Considering that the stable kernel team is trying to finalize the trees
and get candidate kernels building, I think we can keep the min() based
patch for this SRU cycle and then switch it out for whatever actually
lands upstream as we inherit the patch through the upstream linux-stable
trees.

Tyler

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Kleber Souza
In reply to this post by Tyler Hicks-2
On 10/18/19 9:13 AM, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.
>
> Tyler
>
> Tyler Hicks (1):
>   UBUNTU: SAUCE: rtlwifi: Fix potential overflow on P2P code
>
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>

Applied to xenial, bionic, disco and eoan master-next branches.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Unstable]: [PATCH 0/1][SRU][X/B/D/E] CVE-2019-17666: rtlwifi buffer overflow

Seth Forshee
In reply to this post by Tyler Hicks-2
On Fri, Oct 18, 2019 at 07:13:02AM +0000, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666.html
>
>  rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the
>  Linux kernel through 5.3.6 lacks a certain upper-bound check, leading
>  to a buffer overflow.
>
> I've followed the suggestion from the rtlwifi maintainer here:
>
>  https://lore.kernel.org/lkml/5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@.../
>
> A fix is not yet available upstream, which is why this is labeled a
> SAUCE patch.
>
> Clean cherry pick to all releases. Build tested with clean build logs.

Applied to unstable/master, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team