From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F38837104F for ; Fri, 17 Apr 2026 06:12:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406339; cv=none; b=Shv9qGyzHqC8YI5pViqqR/mrRfFwR6RsU8LEPZb69Likw++3ZmDFqyJZYrgWcPIov3Hm/VLWtVcgHGv1FnFdJuDHweSZzC6jnyL2Jkm0ZdgdhBlv2y7aC0koFnmPtOq7dzMACFrYXGxlcBuQv1buDQ6totn6r7Z0/IKP1eN7j08= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406339; c=relaxed/simple; bh=LQIdA2y7R70azffM7vEEmPT21jtKvg4tGGwa02Wpxc4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t8fpFhwwqZSyUP5C+c11qTdximlY4VTpz8RhzhVDSmYJzCPTkZWwYKphZgFBXXChTWzeOkk2B30QEvXW1ut0480br4ZiiN0tDrLw3L1UatrDDLnSk1MnGhiSxXU7chNAXH5yDxICAr/xjiRdr4AblQz86EzD54ZIyQnUVxB4gB0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Mydm7QCZ; arc=none smtp.client-ip=209.85.217.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mydm7QCZ" Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-605def5b80cso87179137.2 for ; Thu, 16 Apr 2026 23:12:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776406338; x=1777011138; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HHAr/pp9xx4L0THvS20kiAAKgkB/RVI3w/K0Awkrlc4=; b=Mydm7QCZd/5V+9VS4qRPOZ12DO69LkUcCdiUr9HPfpfvvZlCunyAiNxL9EZwEP4tkQ cFiUWaxQ18vAk2/Ch8+fopoK7KL8gQgJZd1CLaAKhkYDRqH4onEMRLuZgOmQR6FRR1Jq qgde+UBMO3/TCeN65KqPl5gN3lBvchrDXm6eoTjT6D1OvAaV3FJ1vbs2pTS+hn/B7LgE LpUONEg6OgMG3wZoLn3V+hsrDyXg5J5Om9Dq+Lusx26h3BIK+B8mMPI7vpO+q6oDZ7ce M2rUugb7bPHg+BXzM/kIsVAljRnO3BcYQmOmgSW3YJG5GyNt5zuz9w8yRP+f3BRU94bG h14Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776406338; x=1777011138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HHAr/pp9xx4L0THvS20kiAAKgkB/RVI3w/K0Awkrlc4=; b=lcp6xxIKNqQuv4JfQHxM6iJrIjdF2W0qKTgIqqH92i3HtLl4pC0Qax3h6NUYswPitw /Z/xhnU/ac4Aw0sHQ3/9LIq9nJbiwjrMBh3ThaGNv+qvK+/ltbEi6Zyt8S1sXBm7CfIW 8t4otmyVjkMnJDMfcaKhYNVLrzAHNRntHWI/9SsfCEacGVQi04blaYaqormuKk6/jtS6 WzjMpxWTzGMfB/4fUtOfsS70xJMASqIBTO4b2rAKrT5Cn1cJviiPYSDiCIoy5Wzytx8w dt3dFG5s5twTMiAKPpi9N3CV+5bnKoQuyMndjsemnq8hmgZpOGLCwLX1v3WA7ERqBQSQ XkVw== X-Forwarded-Encrypted: i=1; AFNElJ8V2tGUeEH6ownebj/gudpF15sC5itNbUz+ICSCTG2KB3FAq1CVlIPaZgeggxpeMEbo4tPKVVQXWLROwMg=@vger.kernel.org X-Gm-Message-State: AOJu0YwgV03G0KPpaMgWecBlYboD1oDlMrAL2WcO8Z9nT8hFtLfqnLzn OVGjvvBBKoRAOAUagXi+iif3666vO7ASNggoXQiS2XzqSlrOcvAPsb3c X-Gm-Gg: AeBDievCtu35b63eBj09Au9YrTxL/I2jwoogb8LWNHDsp6uytcNgNiKgHgy7tYojOKz S0t9HS08XkZgYNUU4opP4cds9zFpUmTjCBHoh4KJAZdKjzRxMAyy3bANlaCU8Y6Aq5Pp/Y+bNCf FYHGilL4iVa+20rbPlwjmWcED82eKXOEPGhpinG1pJAciswFD6QqGrYWkxu4ts0VRMaA6Fd7lrj lHa//xI0n9POdXQJh80Rt8B/Vm7CYiZTjY0DE3eMK2Ruza+tiGk8OBTpF/EEygSmgEymi2LwVz6 At+O5JE6m7KVaS28R/bnLy8B/uirVXNhiq9vOfXUtyPxlIMc5mbZ+roRevNc+Ec2aHFv2a/ZFht LkysefvNNHGG6uyZU3/Fz4X92euHXzq5SVf5qwGnIZfrUoK4XooRUBy1ByvUj0wveEMm4urtP3l lQURGdB4guafDGpEULEnT0hJI0hv+Yyn5mK0/FrTEvL8si9+o69ApJ X-Received: by 2002:a05:6102:5493:b0:60f:ac13:c99 with SMTP id ada2fe7eead31-616f88b47e4mr465946137.29.1776406337613; Thu, 16 Apr 2026 23:12:17 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.124]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 23:12:16 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v6 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Fri, 17 Apr 2026 07:10:45 +0100 Message-ID: <20260417061048.62484-3-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com> References: <20260417061048.62484-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In recvframe_chkmic(), the payload length is computed as: datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8; All operands are unsigned. If the receive frame is shorter than the sum of the header, IV, ICV and MIC sizes, this subtraction wraps around and datalen becomes a huge unsigned value. That value is then passed to rtw_secmicappend(), which reads past the end of the receive buffer and can leak kernel memory or trigger a crash. An attacker within WiFi radio range can exploit this by sending a crafted short TKIP-encrypted frame. No authentication is required. Validate that the frame is large enough for the TKIP MIC computation before the subtraction. Found by reviewing length arithmetic in the TKIP receive path. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v6: unchanged. v5: unchanged. v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c index 8d5d9a6dc4db0..e30617875a69d 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *adapter, union recv_frame *p mickey = &stainfo->dot11tkiprxmickey.skey[0]; } + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <= prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res = _FAIL; + goto exit; + } + datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8;/* icv_len included the mic code */ pframe = precvframe->u.hdr.rx_data; payload = pframe + prxattrib->hdrlen + prxattrib->iv_len; -- 2.43.0