From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f179.google.com (mail-vk1-f179.google.com [209.85.221.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 977BE34EF0D for ; Fri, 17 Apr 2026 03:02:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776394968; cv=none; b=imTiE+1qlCDNKzovAnu24nYrmJvIZrWhHIcJ8lKmNyXDeTvFmrVJHgVMpHTOAE/K9QC7MTGLEr01ev4ET51Qfsn8qFmbbJY3RLPD2Qstt0NngpHUZZr20dAgEvSPb5ca6LhN3FALWDC2orFtdqv4qk7m8Cy3KCpx9sEnOaGNxjM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776394968; c=relaxed/simple; bh=+aSkfcuIjVSvk/tb/QdCgJX5VS1QAhakWqAzEua2/lo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Qq7gto97Rnur7xjzugUvy6t/hEcVld6JuJ2XT6WSV/aDePewbO9Z48wMxxaIUbSrKCEoafUcKuz0rr+146ElLN4Vr+g01jbsvNO8ow+QCKqSsQHhStNoDiW2L4Lr43rgzmsxiuiG5zacrg2IrNF4y7snwWJc+8QafsD4tIliPKI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YFln3G3H; arc=none smtp.client-ip=209.85.221.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YFln3G3H" Received: by mail-vk1-f179.google.com with SMTP id 71dfb90a1353d-5675d609621so172555e0c.2 for ; Thu, 16 Apr 2026 20:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776394965; x=1776999765; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RVJw3Uf7eb5I7g48M7g9HFFPwSMs2PN92kKQtKwpSKw=; b=YFln3G3HEjR4vgMmY/7mGxTIT+Ws0x1j8Fyn52/+FaQKf5gnjqiUyZInORdBkoNRzi I4YebwBDw8prrrXVYrHFhSa/6F7iltzGk1aI8m+N556eoXpF9sFCmU2rFLt03kIbcUY4 KW5TsPy7+TrrQdkbPumrLq4Y6eXmd+sqhL2PjZ/PlW7YyPhlK+oaxfROKgDGt4LdHc2M CWcxaRZ1NeHn35tLaQYFIr/gjNJ0RKarrQLrrIYusf4MX+9UW2r/5XQq0YnS46pvCCsd O0JFYdPXNGkCE1DR/c22hpvShZkiZXCLhvF9q7/5zwaS2UO9qzOdIJHeuEov4oDc+Dfi OPsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776394965; x=1776999765; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RVJw3Uf7eb5I7g48M7g9HFFPwSMs2PN92kKQtKwpSKw=; b=e1kbqMY7z1Rq5GgGsnv8nQ+w7TOZInJMXpTGxoCGHOXnRUPBzd6vG6azOYgiCwYW5i Y7vRUFvn/V6w8Kzktn/GELiMn5ek9G0/AfUHwtUX64oF6oV4KBhoED9dx/DRimQ017SE tRSrD8WDb3ZOXKtcHou9lqwfGXeMN5vdEEd7s+oeULAVb87G6tE9x0gadJe73RJsuIKP ZfI6Ey176Vl09NLO1Es84/hZkKUWthd4niplzcIVTvw9DQ7g6+YoVoxy0E57FnZYnKar LnTBEwxdPNZZF4lcWHER5q3Bqlbs/0j1MDoANKNc1mu3BuJjgxG72WDbATBG9e95A6ET 1lrA== X-Forwarded-Encrypted: i=1; AFNElJ9PoHM30sO5abs/uEqiBC9ANBKm/09Yn3aHDsIb7Yi8gsB4i7NIbqmfJUeN8+kB87BBGnyVUFWcF5PCexc=@vger.kernel.org X-Gm-Message-State: AOJu0YyIMYEjvAB2HKlvBt7WHkwXPCmUcQvfRkmCgjs0BzHmqCxgbSUG 1zDouFoSonwJMNre4YBV9drsCONN58qE6M6uFl/ohmf/M3VZsNgSppNO X-Gm-Gg: AeBDiesEi4VBVZORKwn2jWSxgADd+9HyFgAl/O7Yqmuq7fkjt0V/H81Iy3IYVdn4nww V9DsNtSrscvvj82wgciJe+DQTUkV1GkppbJDnVDBJyyW0b77UAa8rt4/wdTsHJWdh5pDkSGzWbF x4JnOthm/OiqbHpdex70lGzznRGwNnX463g9x8mlsiOUD2ijy6D5gPxjhrrlLV4qVr8htPbRBcr kIw3cd1PruSvnsOgmu8sr5rllfZHbaFQkAetvnbCDwAgV6p/22pSqTaEgrbL1Gu27kzv5IFNqmL hS73PiLr5Uxf1o5HyznlzcMULwZPJdyt28xy+WlqwSbo+/KjVXn6e7ye/IatN9wKmGh9WtXYYg0 mVU3NDHHLND5DgC77wZIxo1KUiYYRvM/s1uAcmMnWZ7ZJNA1oA8mKC7VaRzlijC1MjG0mYv+owz giGLxkkiRvhG3w1p8KyORZpryHvD2UThbpLPTA9dBpsi09Uy03iu34T2csbgjsReQ= X-Received: by 2002:a05:6122:247:b0:56c:e871:31a8 with SMTP id 71dfb90a1353d-56fa58cb67fmr608412e0c.7.1776394965430; Thu, 16 Apr 2026 20:02:45 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.124]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 20:02:44 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v5 0/5] staging: rtl8723bs: fix multiple security vulnerabilities Date: Fri, 17 Apr 2026 04:01:05 +0100 Message-ID: <20260417030110.42991-1-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This series fixes five remotely-triggerable memory safety issues in the rtl8723bs driver. All of them are reachable from the air by an attacker within WiFi radio range, without authentication, via crafted management or data frames: 1. Heap buffer overflow in recvframe_defrag() when reassembling fragmented frames whose total payload exceeds the receive buffer capacity. 2. Integer underflow in TKIP MIC verification when a frame is shorter than the sum of header, IV, ICV and MIC sizes. 3. Out-of-bounds read in portctrl() when a non-EAPOL frame is shorter than the 802.11 header + IV + LLC + ether_type. 4. Out-of-bounds reads in three IE walkers (rtw_get_wapi_ie(), rtw_get_sec_ie(), rtw_get_wps_ie()) due to missing validation of the TLV length byte and of the byte ranges touched by the subsequent memcmp() calls. 5. Integer underflow in rtw_wep_decrypt() when a WEP frame is shorter than the header + IV + ICV. Each patch was found by code review and is not tested on hardware. Changes since v4: - Patch 1/5: collapse the five identical cleanup sites in recvframe_defrag() into a single out_err label (Dan Carpenter). - Patch 3/5: return NULL directly on the short-frame and non-EAPOL error paths instead of staging the result through prtnframe (Dan Carpenter). - Patch 4/5: in addition to the outer TLV length check, add an inner bound check before each memcmp() so that the OUI read at offset 6 (WAPI) or offset 2 (WPA/WPS) stays inside the declared element (Dan Carpenter). - Patch 5/5: tighten the length check to also cover the 4-byte ICV, so that the subsequent crc32_le(payload, length - 4) call cannot underflow length - 4. - Patches 1/5, 3/5, 4/5 and 5/5 lost Luka Gejak's Reviewed-by because the code changed; patch 2/5 carries it unchanged. Changes since v3: - All patches: add Fixes: tag pointing at the driver import and add Cc: stable per Dan Carpenter. Changes since v2: - Sent as numbered series with cover letter. Changes since v1: - Rebased on staging-next. Delene Tchio Romuald (5): staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() staging: rtl8723bs: fix integer underflow in TKIP MIC verification staging: rtl8723bs: fix out-of-bounds read in portctrl() staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions staging: rtl8723bs: fix negative length in WEP decryption .../staging/rtl8723bs/core/rtw_ieee80211.c | 70 +++++++++++++------ drivers/staging/rtl8723bs/core/rtw_recv.c | 65 ++++++++++------- drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++ 3 files changed, 92 insertions(+), 49 deletions(-) base-commit: bf9c95f3eeefb7fc4b4a6380cc23f1dca744e379 -- 2.43.0