From: Jakub Kicinski <kuba@kernel.org>
To: pinkperfect <pinkperfect2021@gmail.com>
Cc: amitkarwar@gmail.com, ganapathi017@gmail.com,
huxinming820@gmail.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
sharvari.harisangam@nxp.com
Subject: Re: [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in mwifiex_process_mgmt_packet
Date: Wed, 12 Jul 2023 17:57:11 -0700 [thread overview]
Message-ID: <20230712175711.1431adec@kernel.org> (raw)
In-Reply-To: <20230710150130.2449934-1-pinkperfect2021@gmail.com>
On Mon, 10 Jul 2023 15:01:30 +0000 pinkperfect wrote:
> Hi, this vulnerability has been reported to and discussed with chromeos teams,
> the detail analysis, see comments in below code:
> mwifiex_process_sta_rx_packet makes sure rx_pkt_offset + rx_pkt_length <= skb->len
> In mwifiex_process_mgmt_packet:
>
> rx_pd = (struct rxpd *)skb->data;
>
> // skb->len -= rx_pkt_offset, skb->len == rx_pkt_length
> skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
> // skb->len == rx_pkt_length - 2, if set rx_pkt_length == 4, skb->len == 2
> skb_pull(skb, sizeof(pkt_len));
>
> pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
>
> //skip..
>
> // now skb->len == 2, skb->data + 24 is oob from skb buffer
> // skb->data + 30 is oob from skb buffer
> // pkt_len == 4, so underflow
> memmove(skb->data + sizeof(struct ieee80211_hdr_3addr),
> skb->data + sizeof(struct ieee80211_hdr),
> pkt_len - sizeof(struct ieee80211_hdr));
>
> On MT8173 chromebook, the arm64 memmove.S / memcpy.S code logical
> cause memove(dst, src, -x) a possible exploitable oob write vulnerability
> not only a unexploitable crash
Oh, didn't see the v2, please address the comments I just sent to v1.
prev parent reply other threads:[~2023-07-13 0:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-08 7:07 [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in mwifiex_process_mgmt_packet pinkperfect
2023-07-10 15:01 ` pinkperfect
2023-07-13 0:57 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230712175711.1431adec@kernel.org \
--to=kuba@kernel.org \
--cc=amitkarwar@gmail.com \
--cc=ganapathi017@gmail.com \
--cc=huxinming820@gmail.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pinkperfect2021@gmail.com \
--cc=sharvari.harisangam@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).