* [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups
@ 2020-02-10 18:02 Larry Finger
2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh
Cc: netdev, devel, Larry Finger,
devel @ driverdev . osuosl . org Pietro Oliva
It was recently reported that staging drivers rtl8188eu and rtl8723bs
contained a security flaw because a parameter had not been checked.
The following patches fix that flaw and cleans up the routines.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Larry Finger (6):
staging: rtl8188eu: Fix potential security hole
staging: rtl8723bs: Fix potential security hole
staging: rtl8188eu: Fix potential overuse of kernel memory
staging: rtl8723bs: Fix potential overuse of kernel memory
staging: rtl8188eu: Remove some unneeded goto statements
staging: rtl8723bs: Remove unneeded goto statements
.../staging/rtl8188eu/os_dep/ioctl_linux.c | 40 +++++-----------
.../staging/rtl8723bs/os_dep/ioctl_linux.c | 47 +++++--------------
2 files changed, 24 insertions(+), 63 deletions(-)
--
2.25.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/6] staging: rtl8188eu: Fix potential security hole
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 2/6] staging: rtl8723bs: " Larry Finger
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva, Stable
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes: a2c60d42d97c ("Add files for new driver - part 16").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 9b6ea86d1dcf..7d21f5799640 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2796,7 +2796,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
goto out;
}
- if (!p->pointer) {
+ if (!p->pointer || p->length != sizeof(struct ieee_param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/6] staging: rtl8723bs: Fix potential security hole
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory Larry Finger
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva, Stable
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index db6528a01229..3128766dd50e 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -4207,7 +4207,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
/* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */
- if (!p->pointer) {
+ if (!p->pointer || p->length != sizeof(*param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger
2020-02-10 18:02 ` [PATCH 2/6] staging: rtl8723bs: " Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva, Stable
In routine wpa_supplicant_ioctl(), the user-controlled p->length is
checked to be at least the size of struct ieee_param size, but the code
does not detect the case where p->length is greater than the size
of the struct, thus a malicious user could be wasting kernel memory.
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 7d21f5799640..acca3ae8b254 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2009,7 +2009,7 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
struct ieee_param *param;
uint ret = 0;
- if (p->length < sizeof(struct ieee_param) || !p->pointer) {
+ if (!p->pointer || p->length != sizeof(struct ieee_param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] staging: rtl8723bs: Fix potential overuse of kernel memory
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
` (2 preceding siblings ...)
2020-02-10 18:02 ` [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
2020-02-10 18:27 ` Greg KH
2020-02-10 18:02 ` [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements Larry Finger
2020-02-10 18:02 ` [PATCH 6/6] staging: rtl8723bs: Remove " Larry Finger
5 siblings, 1 reply; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva, Stable
In routine wpa_supplicant_ioctl(), the user-controlled p->length is
checked to be at least the size of struct ieee_param size, but the code
does not detect the case where p->length is greater than the size
of the struct, thus a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-# Please enter the commit message for your changes. Lines starting
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 3128766dd50e..2ac0d84f090e 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -3373,7 +3373,7 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
/* down(&ieee->wx_sem); */
- if (p->length < sizeof(struct ieee_param) || !p->pointer) {
+ if (!p->pointer || p->length != sizeof(struct ieee_param)) {
ret = -EINVAL;
goto out;
}
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
` (3 preceding siblings ...)
2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
2020-02-10 18:02 ` [PATCH 6/6] staging: rtl8723bs: Remove " Larry Finger
5 siblings, 0 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva
In routines rtw_hostapd_ioctl() and wpa_supplicant_ioctl(), several
error conditions involve setting a variable indicating the error,
followed by a goto. The code following the target of that goto merely
returns the value. It is simpler, therefore to return the error value
immediately, and eliminate the got target.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Pietro Oliva <pietroliva@gmail.com>
---
.../staging/rtl8188eu/os_dep/ioctl_linux.c | 40 ++++++-------------
1 file changed, 12 insertions(+), 28 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index acca3ae8b254..ba53959e1303 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2009,21 +2009,16 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
struct ieee_param *param;
uint ret = 0;
- if (!p->pointer || p->length != sizeof(struct ieee_param)) {
- ret = -EINVAL;
- goto out;
- }
+ if (!p->pointer || p->length != sizeof(struct ieee_param))
+ return -EINVAL;
param = (struct ieee_param *)rtw_malloc(p->length);
- if (!param) {
- ret = -ENOMEM;
- goto out;
- }
+ if (!param)
+ return -ENOMEM;
if (copy_from_user(param, p->pointer, p->length)) {
kfree(param);
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
switch (param->cmd) {
@@ -2054,9 +2049,6 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
ret = -EFAULT;
kfree(param);
-
-out:
-
return ret;
}
@@ -2791,26 +2783,19 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
* so, we just check hw_init_completed
*/
- if (!padapter->hw_init_completed) {
- ret = -EPERM;
- goto out;
- }
+ if (!padapter->hw_init_completed)
+ return -EPERM;
- if (!p->pointer || p->length != sizeof(struct ieee_param)) {
- ret = -EINVAL;
- goto out;
- }
+ if (!p->pointer || p->length != sizeof(struct ieee_param))
+ return -EINVAL;
param = (struct ieee_param *)rtw_malloc(p->length);
- if (!param) {
- ret = -ENOMEM;
- goto out;
- }
+ if (!param)
+ return -ENOMEM;
if (copy_from_user(param, p->pointer, p->length)) {
kfree(param);
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
switch (param->cmd) {
@@ -2865,7 +2850,6 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
if (ret == 0 && copy_to_user(p->pointer, param, p->length))
ret = -EFAULT;
kfree(param);
-out:
return ret;
}
#endif
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] staging: rtl8723bs: Remove unneeded goto statements
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
` (4 preceding siblings ...)
2020-02-10 18:02 ` [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements Larry Finger
@ 2020-02-10 18:02 ` Larry Finger
5 siblings, 0 replies; 8+ messages in thread
From: Larry Finger @ 2020-02-10 18:02 UTC (permalink / raw)
To: gregkh; +Cc: netdev, devel, Larry Finger, Pietro Oliva
In routines rtw_hostapd_ioctl() and wpa_supplicant_ioctl(), several
error conditions involve setting a variable indicating the error,
followed by a goto. The code following the target of that goto merely
returns the value. It is simpler, therefore to return the error value
immediately, and eliminate the got target.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Pietro Oliva <pietroliva@gmail.com>
---
.../staging/rtl8723bs/os_dep/ioctl_linux.c | 47 +++++--------------
1 file changed, 12 insertions(+), 35 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 2ac0d84f090e..9b9038e7deb1 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -3373,21 +3373,16 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
/* down(&ieee->wx_sem); */
- if (!p->pointer || p->length != sizeof(struct ieee_param)) {
- ret = -EINVAL;
- goto out;
- }
+ if (!p->pointer || p->length != sizeof(struct ieee_param))
+ return -EINVAL;
param = rtw_malloc(p->length);
- if (param == NULL) {
- ret = -ENOMEM;
- goto out;
- }
+ if (param == NULL)
+ return -ENOMEM;
if (copy_from_user(param, p->pointer, p->length)) {
kfree(param);
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
switch (param->cmd) {
@@ -3421,12 +3416,8 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
kfree(param);
-out:
-
/* up(&ieee->wx_sem); */
-
return ret;
-
}
static int rtw_set_encryption(struct net_device *dev, struct ieee_param *param, u32 param_len)
@@ -4200,28 +4191,19 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
* so, we just check hw_init_completed
*/
- if (!padapter->hw_init_completed) {
- ret = -EPERM;
- goto out;
- }
-
+ if (!padapter->hw_init_completed)
+ return -EPERM;
- /* if (p->length < sizeof(struct ieee_param) || !p->pointer) { */
- if (!p->pointer || p->length != sizeof(*param)) {
- ret = -EINVAL;
- goto out;
- }
+ if (!p->pointer || p->length != sizeof(*param))
+ return -EINVAL;
param = rtw_malloc(p->length);
- if (param == NULL) {
- ret = -ENOMEM;
- goto out;
- }
+ if (param == NULL)
+ return -ENOMEM;
if (copy_from_user(param, p->pointer, p->length)) {
kfree(param);
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
/* DBG_871X("%s, cmd =%d\n", __func__, param->cmd); */
@@ -4321,13 +4303,8 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
if (ret == 0 && copy_to_user(p->pointer, param, p->length))
ret = -EFAULT;
-
kfree(param);
-
-out:
-
return ret;
-
}
static int rtw_wx_set_priv(struct net_device *dev,
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 4/6] staging: rtl8723bs: Fix potential overuse of kernel memory
2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger
@ 2020-02-10 18:27 ` Greg KH
0 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-02-10 18:27 UTC (permalink / raw)
To: Larry Finger; +Cc: netdev, devel, Pietro Oliva, Stable
On Mon, Feb 10, 2020 at 12:02:33PM -0600, Larry Finger wrote:
> In routine wpa_supplicant_ioctl(), the user-controlled p->length is
> checked to be at least the size of struct ieee_param size, but the code
> does not detect the case where p->length is greater than the size
> of the struct, thus a malicious user could be wasting kernel memory.
> Fixes commit 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
>
> Reported by: Pietro Oliva <pietroliva@gmail.com>
> Cc: Pietro Oliva <pietroliva@gmail.com>
> Cc: Stable <stable@vger.kernel.org>
> Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
> -# Please enter the commit message for your changes. Lines starting
> ---
Funny line :)
I'll go edit it...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-02-10 18:27 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-10 18:02 [PATCH 0/6] staging: rtl8188eu and rtl8723bs - some fixes and cleanups Larry Finger
2020-02-10 18:02 ` [PATCH 1/6] staging: rtl8188eu: Fix potential security hole Larry Finger
2020-02-10 18:02 ` [PATCH 2/6] staging: rtl8723bs: " Larry Finger
2020-02-10 18:02 ` [PATCH 3/6] staging: rtl8188eu: Fix potential overuse of kernel memory Larry Finger
2020-02-10 18:02 ` [PATCH 4/6] staging: rtl8723bs: " Larry Finger
2020-02-10 18:27 ` Greg KH
2020-02-10 18:02 ` [PATCH 5/6] staging: rtl8188eu: Remove some unneeded goto statements Larry Finger
2020-02-10 18:02 ` [PATCH 6/6] staging: rtl8723bs: Remove " Larry Finger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).