From nobody Sun Jun 14 18:48:32 2026 Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com [209.85.221.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFFD63612EF for ; Sat, 4 Apr 2026 22:58:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775343497; cv=none; b=NKICo3OgvW8DPrqRnMjgZLmo4JyN8ERGUtlyQT6FybuQUNKa5LrGcYNV/ZDUiAiOkkepGBBzSMzB+s1JoXbTGOw3XWQGnmL+pVNw6rM1x7uA15chYrVPfMyegEjwjPJmECHv7A1gDOm9VfsHhP4ax77faF8XAby6hNDSpiQ/1rQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775343497; c=relaxed/simple; bh=jGjQZBs0WdJOuCBt0m7HdHT/tOJU/5J/G4uFScR5Owg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dwQe4l1e0YoN1vj1jWdbT2S4XQyNzeNq3S6aY33cfaLxBc+YyrAEPhwrgXxebZ3fOx5DSzKMWLrNMIYOIeoG0izBfxq1NBIqoWHYjCKf4rdCAjNxt7syBdWicEBpyW4862RWqlKeWuYcpoX34fXZGt+Zlvm5ZsWWGDSZyFr3vQs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aZvERzFc; arc=none smtp.client-ip=209.85.221.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aZvERzFc" Received: by mail-vk1-f169.google.com with SMTP id 71dfb90a1353d-56a9076813bso1177801e0c.3 for ; Sat, 04 Apr 2026 15:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775343495; x=1775948295; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tCgSx5WdM/i+Hg88DXCQUL/vgC4TdcSzM3NNt+8nb8Q=; b=aZvERzFcrGce73LP/QLLetPV4KsDnULCqrt/0U0h5t2A+RdpZ826rxLAcWukkOb88n BhXeH9/SUFAQRc0vsEP20geW2e8jj9JXcys6BXTZSMuQiP04hl4Jo0DIhk7Pz6hSfXvH GfPzdtxv/lSG49wRGX7snbUq/vi23R95sfztrNsmJP+xgyuKcKqu5iLL9wAhayQFuJXN OWJ9zqTfWmRHZXAM6E6P/KpBRz3W+yoRRJJ0qKeHETTtR5efJa0ghLDsOfUGdqUQzCIC ZheD72CH7drqaA08qMi8NHQJ/Rrf2bUeLFbBSfawkmyGhDqIsyoZgOBdh0SbFBITvUXf 0PBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775343495; x=1775948295; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tCgSx5WdM/i+Hg88DXCQUL/vgC4TdcSzM3NNt+8nb8Q=; b=jvpJeQaKBGp55J3j5bioOQnsRe8Fq3wdNl+Fzn3h9xrCF1oJoXz1uMQN30dtwEr7ZS eU5M8Jqia7PLQFBcTwvao6IRe55fsrC3RNIca2vDl3Wh33zS7opBbwevjeX1p/SFhtR1 ZCzKZAYsx6bRyHnPpPrPuDRUZhZd+tGyS4qrPEkFOSq6T1p+z8V4G5h8nGlaZF9HKiig xCNCEY2NbpYxZFtBVkYGAHkJAtIJXBiJH3H7jIzlfuSpXW9Wn9Lkyo0SRSYiY628XxEC PE3LKuHeXQboKhlZgzfa50a7ODAWcKVwP8Fvl8dCjhZhcKhFh50hKvCwJTWq2S0U9ojk GlVg== X-Forwarded-Encrypted: i=1; AJvYcCUZ6qeefQlQnn8KpjJrz8ijlxdvWD1GJ7afIzDV2QhUJDcKgd1b0TBy6THu6p7+e0eMyWYHsPWj0vvfPfQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yx6qeBCDvV8c8j9y6A+iTat0E11Y9Lt9aPi2hPvxsbCTdkiuWoP Zv4/qDW+2wxwhCdyFFvHRENB+QFGnHx3E0vD6lzShMWlbicSBRzXxDTL X-Gm-Gg: AeBDiesCnyTPDJFBzF9l3D5IcQNco+9TScjV1gkwmM8kTEKPKb/E7K5B1XKLPnm4ddG dvzq05vrweBJcs/9uyX81UgSkFYimD7Z6natZCQ1xh6VbQHWugywetKCGr1HMYWNPmaRQFMJlXw D0FFyJc5XTTuARfJgmFFLGd1szLiKseOsRYQt39X0EpG2nQ/Em+tSvBJrzipqVKjzF5wRanTeDu PjzCumaBgjEYy2wUjljO/5H8pWb1CmlqlA93yFJ4KuK6DDHVzoYkgLQYv1lUnByIYS38RFBW4mC 0iusIJOdPm1yF37d7DwCyrEUM41mwTX4d/MVGQT3R0RhyOj2UMX24KfOXgF7l+sqz/JfN68y5TA L9241RfP+YjUfsPhnq2yvSXd5C0IxqAjn51rSA0iw607x5M+J81RUILKGtKy0M/eN07PfKBlHnS lP/RnK4KixgOXxGECVTPgqJEutK5VeoV35Atg/T/E/ X-Received: by 2002:a05:6102:5093:b0:605:4ff8:fc21 with SMTP id ada2fe7eead31-605a4e92bc8mr2314437137.8.1775343494660; Sat, 04 Apr 2026 15:58:14 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-60582e1d1edsm11692040137.1.2026.04.04.15.58.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 15:58:14 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald , stable@vger.kernel.org Subject: [PATCH] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Sat, 4 Apr 2026 23:57:52 +0100 Message-ID: <20260404225752.61297-1-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_chkmic(), datalen is computed as: datalen =3D len - hdrlen - iv_len - icv_len - 8; All operands are unsigned, so if the frame is shorter than the sum of header, IV, ICV, and MIC lengths, the subtraction wraps to a very large value. This corrupted datalen is then passed to rtw_seccalctkipmic() and used as a pointer offset, leading to out-of-bounds reads on kernel heap memory. Add a minimum frame length check before the subtraction to prevent the unsigned integer underflow. Cc: stable@vger.kernel.org Signed-off-by: Delene Tchio Romuald --- drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index 337671b12..8d3c6761a 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada= pter, union recv_frame *p mickey =3D &stainfo->dot11tkiprxmickey.skey[0]; } =20 + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <=3D prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res =3D _FAIL; + goto exit; + } + datalen =3D precvframe->u.hdr.len-prxattrib->hdrlen-prxattrib->iv_len-p= rxattrib->icv_len-8;/* icv_len included the mic code */ pframe =3D precvframe->u.hdr.rx_data; payload =3D pframe+prxattrib->hdrlen+prxattrib->iv_len; --=20 2.43.0