From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f180.google.com (mail-vk1-f180.google.com [209.85.221.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63EE034F48F for ; Fri, 17 Apr 2026 03:02:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776394978; cv=none; b=U2OwAIwfWFBe2ixW9pQuRmveAebtrcai0r6YA/8HPVwiSPEpwE+qriznYbNE0u+qsDWry4ZZ7qkF2SgzKjNRjMA4PzROaw5V1fFm/FC7YdEZjn0HrSET+RnAnZXpb/MD+CxE0C+ojewU769Ex2XsaXGppjuRYJzAqY9Ed9+D5vk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776394978; c=relaxed/simple; bh=gjYu/2ofJyGBRiCJbFCjes1+fHC4+IquDZRUtme0YS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IRpTbPNm6cJ1Tss/soUQd0TQkYSJSkHi6+g6NrZ/X0J5bQIeAg2z8IhpdbPbqY642sWmha09oSsJisFfiHR0jGEH2yGG0MZspap7GWwdYSTpGDk9YlEyMJ49iK6Zh1R3pVt6bfTYtX27sA8RhhpptOH+oDf8sySn0EtGJtaPTUA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jfqtDTu4; arc=none smtp.client-ip=209.85.221.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jfqtDTu4" Received: by mail-vk1-f180.google.com with SMTP id 71dfb90a1353d-56a857578a8so68481e0c.3 for ; Thu, 16 Apr 2026 20:02:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776394973; x=1776999773; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SXJlWBy5EhJS9h5WNvEWvOfpNAQjbgOfXUdi7AOiHOE=; b=jfqtDTu4eBEd1CIiNEncQU8DYAEfcsgTFvDd/GhgUTppLin7OoVHF9AQ/UIxl1yox/ HeFx+X8XCzJKfVhG7G0/dZ7XJL4k/wGE/173APn1u/ko8W/PTk96K/BA+Onfo8X821JS 4eSYdfUHk2sGuuZuy0rdQLeGg+Qda4C4ijYY+6aL2dLybOZ1niSdfHVMNORxtvsZE7tO 1w367lD5pPbcqW4L75e1WYed8vtMC7P7xWeUkXwsimNeAaI6MKHjnb8TxAQjhBvZR3/2 gqzy9ln5w+yKPU32Pg/u6iwQMAzrWW3IJnuJaGh5WARAS8wshyKT5GXI+xqVnF38BP8g K22A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776394973; x=1776999773; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SXJlWBy5EhJS9h5WNvEWvOfpNAQjbgOfXUdi7AOiHOE=; b=QB31pi6WSWOMRH4WDD7dBfTq4qpzT9JvUA6TBUqgCZGAO+a3rjPN5ckthcpKYFa5Rw v9BWMzJqmmRbFeoCo38Cy408ShHcjPwLa0i90/oYmMS8XCzZ89HD8AvSs4O1TXlGgfrn HI/Fcxxx+ZXZVG2Wc2BCw/5hL87PCmM8YKzZiaISlQyhTd/UvL9QfSEzekEwOFumbtci tABxKEVmw/RZtST0mrkh5Sqag7wWdgo1cMAiLslhc6Cd2Mt5dyI+nVATBC4MObDXWOJK YKL/yhQ+2KRk6nfDpTt5RtRU15tZim9CTdNg3cIijuTAHLCq/DTBNp9WX47XO04+Y8vL vjKg== X-Forwarded-Encrypted: i=1; AFNElJ838Dn6fjT9V4XwImGLLWXWnz7zOQcqKkUaV6uowZzIA9oYV4hD/y0SmhYWB0mr+4xgGLoOFPNoQfmSFqY=@vger.kernel.org X-Gm-Message-State: AOJu0YwVD43vfhC/2DllMMv7UYGMXyLFm2eSQX7nN8JUYVRJfihhLNqh IDMyugQbYAKxMbdg1uS9xhinz3NmImPueNcC0tWhZO7IHnBOAa51aSkk X-Gm-Gg: AeBDiet27rJlIrQArfEmyZmLoOZiQiZT74y12o6hAPU3Yy5+ofsLJijtGStJaUvgHY1 pKYTcrUGhzSuLWNb6M9n0+xlaslDVw0VoYOSSwIUStpLJDzXVANmXwpoBhFrgbxbEEKHmt6KNRi xjS3y64+FRE8od6w8gaISc1JPJ1GZcCkuaNvt2aL76sUKuThJ31bGxYYLh33kOSdlKr27nxQFdE YYwzLnncddqMmJ8M9Jx6HR2uFx5DrDRAqwlhAuXuQ/3dNo7K8m5nss6jiiWtq3yV8bTnu6jpw1j yid8QSV7nSzF7PWYZUjRmZZtJ5tINYvUBDi4QxHiYcL9AZ+SB3seKQ2wRUuc8bsGVZjuBhRz34j vGsuFuKEUZqkujY+S8ljbbGipkNMP2fikYTEu9HI6atzFPf5yr0uR4c7L2wEMNnGmXVFvx61438 h2UAbv9zADhe/GwGxjq8gaUqfNYjPpwGssIrIzrAFTZfw0QHZ4Tjt8 X-Received: by 2002:a05:6123:14b:b0:56a:f576:cfca with SMTP id 71dfb90a1353d-56fa57d82ccmr569595e0c.2.1776394973122; Thu, 16 Apr 2026 20:02:53 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.124]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 20:02:52 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v5 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Fri, 17 Apr 2026 04:01:07 +0100 Message-ID: <20260417030110.42991-3-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com> References: <20260417030110.42991-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In recvframe_chkmic(), the payload length is computed as: datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8; All operands are unsigned. If the receive frame is shorter than the sum of the header, IV, ICV and MIC sizes, this subtraction wraps around and datalen becomes a huge unsigned value. That value is then passed to rtw_secmicappend(), which reads past the end of the receive buffer and can leak kernel memory or trigger a crash. An attacker within WiFi radio range can exploit this by sending a crafted short TKIP-encrypted frame. No authentication is required. Validate that the frame is large enough for the TKIP MIC computation before the subtraction. Found by reviewing length arithmetic in the TKIP receive path. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v5: unchanged; carry Luka Gejak's Reviewed-by. v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c index 52d029c28ab1f..40884788a30d6 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *adapter, union recv_frame *p mickey = &stainfo->dot11tkiprxmickey.skey[0]; } + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <= prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res = _FAIL; + goto exit; + } + datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8;/* icv_len included the mic code */ pframe = precvframe->u.hdr.rx_data; payload = pframe + prxattrib->hdrlen + prxattrib->iv_len; -- 2.43.0