From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50A213CC9FD for ; Wed, 15 Apr 2026 08:58:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776243505; cv=none; b=lJJPEKjbYSm3yqZTmn/2ARp312i5r+eHkQz+kV7uiAS7OyDHg9PtAKrnjJwEI6UDqFjVj8IOWmcBTICx17MxxYcdS0jaXWOYHA4i2tRbtMoVV7DRrNaXAl9ycJLgtqfCKF1B7YBAOGlHgBVYGNUijtYzI2PWKzjFo4qFgy2lXXw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776243505; c=relaxed/simple; bh=tjwxoCh8RsswJL0AZaKD6YnWt2NGDz3mZWuPI5eieOg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=u+bRth7aGO7W9PDlRq2hnQIn0PkhMKnKXzFIw9PIaXd+Nt9XjXOkkfeDFgSqxQsdTvELgy5P3vclHq6Ps90iT+vZ7y3OKoPSdM/BZoUq6VxKHPq9maaKljzj2oLLAIjloCWoKYn/c9/yFXtwrNCSNF0jGvYxLY0p42CebyUkhfw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Bfp3Ywzu; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Bfp3Ywzu" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488a88aeec9so86868455e9.2 for ; Wed, 15 Apr 2026 01:58:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776243503; x=1776848303; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=6h2N9ksCXacxSbGHcgLCh/qKq3F9bELd0+y8Uh8lUbQ=; b=Bfp3YwzuBWuRyRkeliansjvvWyCITd+aUeAHWF4L3j9Csdemf1DpydPAdrAlJAkzuP Gelqb4ZWSoDUHr9wWRffzUi78iw1ePK8k1k8V/nJ55kfPZk/7gZVlJ6YbBtPgmV6vPuH 43kBc10DrxuqZwiHxjeOvT82vJtwoQBFUtFHmNdItWVOWx/toKrljxpqCCBRmuSyn1lD 9yc4ZNIlk9dbpOk0GM0P6lmz4VRU63uEUPN7X410D98tDGB5wgpNKyoDbdakAndFxLpQ DbzM9yJM73oUGsKmFhM8kv7DkC7tzvNhs14u7wJ2ENDjE1kYILop+heza9lNThx1yacN c8eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776243503; x=1776848303; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6h2N9ksCXacxSbGHcgLCh/qKq3F9bELd0+y8Uh8lUbQ=; b=DT6kMKhqvIevF2wsJtKfhg0UQSPTdre+mzva9vBKWhd9dEQ7j263YJmf3SrX8Acdrv kR+g2/u/9zVuMjstt+YCh0gEh5s4gE8drYN6IBAJQJNy/ISxuZ7P+G/vLt2Ko7LaG0Cr 1/2ICUyG9Odv3nO/M+/CibrQT7wVODjDHXqxlb45RyKPfiL4uV2RmSvMuwtt20mxlIr0 omk0b/nExv5USHteQAmzAFena5Vz/1g4VszhqQZRkTCsthllVdbD5e4FmtwPvRSWipqz ueu91Wn8NxH8Rimbs6pt+9lPU71fpwjPWaNmGe1d8VVh83a/4NdkzCo/suYt5lsZNJBH Di1w== X-Forwarded-Encrypted: i=1; AFNElJ9Y6V5jhI9aZA6qMtYXWFIGScbxsIw1m9vb8nHbcrbDndQUfWpaKtO2NlVS0jotKqYw3oO82gHlqBAeHu4=@vger.kernel.org X-Gm-Message-State: AOJu0YwkDZ1HFJIpoKwco3RoIrJmzMEU7kzeHxa3pTlLaN0QGns6Z6Qo ftYY/rap6Xkr3RCLH/RRsErxBFigjI1jwt9LSi1BehwRGMa05ggReSLG X-Gm-Gg: AeBDiet/ew9+0smwzv+QTN18zfO3WrYRGI+UAVIiK4SAbl7smCsKRlSGhmzZd224/yz k7RF7mUDXmoDrTKwBEBKnTYeHbOtA11TuyFCZhAEjp6x5f9Bps6BgkuV6yRmJ+1FsjzovMwpbGr F2TleZxnXmfgCdU7IOs+3VI/9qyKI8Ab5C/s1IjliYrAWlpzSj7Bv20UJLYgE28zFT0moGEUMPy n/MwJgmbDz0KaYRsHplizpuFJ5rtn1V0lElGrxWDC/c0VJbuTtD4UBdiTRDUqj5pRsWHCHQrsJO tIPtDt2rslAjLYEZfffxScWoX+5qYqM7VfVh4mCeFezOKJl7+0Mh6LZSARzuO9deKX/iyCW1MhO tyWnG7ZL7ZR/JuFn3YkiPf5Hj+MVFPCueEgJWSkeLEtdA0iWt+rX+6xAnATM3k2to0zxRKm0Ass u85VOjTMGScROcLHqlUd0= X-Received: by 2002:a05:600c:820a:b0:488:81b1:ae36 with SMTP id 5b1f17b1804b1-488d688688fmr287096005e9.23.1776243502635; Wed, 15 Apr 2026 01:58:22 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f096d110sm19990255e9.11.2026.04.15.01.58.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 01:58:22 -0700 (PDT) Date: Wed, 15 Apr 2026 11:58:18 +0300 From: Dan Carpenter To: luka.gejak@linux.dev Cc: Greg Kroah-Hartman , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] staging: rtl8723bs: fix remote heap information disclosure in issue_assocreq Message-ID: References: <20260415050302.9934-1-luka.gejak@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260415050302.9934-1-luka.gejak@linux.dev> On Wed, Apr 15, 2026 at 07:03:02AM +0200, luka.gejak@linux.dev wrote: > From: Luka Gejak > > When building an association request frame, the driver copies the > ht capability ie using the attacker-controlled pIE->length from the > ap's beacon. If the ap provides a length greater than the size of > struct HT_caps_element (26 bytes), it causes an out-of-bounds read > of the adjacent heap memory (HT_info and network structures). > This uninitialized or sensitive memory is then transmitted over the air, > resulting in a remote heap information disclosure. > > Fix this by clamping the length passed to rtw_set_ie() to the actual > size of struct HT_caps_element. > > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable@vger.kernel.org > Signed-off-by: Luka Gejak > --- > --- > Changes in v2: > - Refactored rtw_set_ie() alignment to follow "open parenthesis" style. > - Allowed the line length to exceed 100 characters for better readability as requested by Greg KH. > > drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > index 5f00fe282d1b..08e597bc0345 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > @@ -2954,7 +2954,9 @@ void issue_assocreq(struct adapter *padapter) > if (padapter->mlmepriv.htpriv.ht_option) { > if (!(is_ap_in_tkip(padapter))) { > memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_element)); > - pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen)); > + pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, > + min_t(uint, pIE->length, sizeof(struct HT_caps_element)), > + (u8 *)&pmlmeinfo->HT_caps, &pattrib->pktlen); You're being conservative and trying to work around the invalid pIE->length, but in the case where the original code corrupts memory, we're allow to just give up and return a failure. There are two other cases where we trust pIE->length in this function and those need to be fixed as well. regards, dan carpenter