From nobody Sun Jun 14 18:47:45 2026 Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C34B2D4805 for ; Sat, 4 Apr 2026 23:55:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775346943; cv=none; b=NG+z/7LxFCZRHsk6ZWmmgRMakg9j2DICFoUveIugoIUF1I2XCiKLZEX463ajvtZ2O0d/t53LVJlVh/74I0KCds1zA9ElgdfZCkHCDgMRR9mUPPb8nP2Lyw7axrTKR+ptTT/eG8LjEtvEtFqs3iiwfYiIP/+WMLLMqejjWG50ouI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775346943; c=relaxed/simple; bh=EyUYcp2qyvrkMNQ5gO1OaVokxM7EP/0buscgSwGAgTo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YvP+qrI82mTedM8TU3IQyL40pW4PLeo/UHNOnApCTLi5s3PMpkAWGLUt5C39bgQbR5vdbGOobxGedqRtSFK6kRwDcgPVlcqW5RwvH7r6/CM5I8tEYR94LPKr47O1cRM6As0i48276C0GSyjzhWZdepgFdfwjNyt7okk7qLd9gWg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YjwF6wlz; arc=none smtp.client-ip=209.85.217.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YjwF6wlz" Received: by mail-vs1-f48.google.com with SMTP id ada2fe7eead31-6055de93fa8so940459137.0 for ; Sat, 04 Apr 2026 16:55:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775346941; x=1775951741; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2lcWK2ZmstYCPUTW7q2PYzGVzcHD7v4lIlVs5LsX4CQ=; b=YjwF6wlzugxlzoMYOLhkxn/BlIDIj678fd8UJi8rLTTDcDo3de/H17JIDKwp6aFT5z eH/86MNlNfQ0CmrWj8uqEDiOSH/fH8nEnOmSk6gV9JBcyNiN9Ta9CV9FM/ypgoVdZNSv anLdhEP2IJbLsB/VAEPpVRU2+7VsaiLR668RbP64BSgWr91tNiO+36/mL/+w3N2ITi0p ksWMzG7i1l3bVoa2XSKW7WOpT1m+ukyx4j1dgx6cqkmv1CbIZzz/4br2sT33YY3yQqWb a82pDn2NV97tmdTa0aLjIDdErHek58/SnX6Lw67/tRIwp+K3F99at5l7aS865fmb4LKo YcXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775346941; x=1775951741; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2lcWK2ZmstYCPUTW7q2PYzGVzcHD7v4lIlVs5LsX4CQ=; b=sRuf4BBskV//RUrCrdNc6BIhjJXwcAahiCLz6vC2uKnb/5uaLRS7qCDrUawz9qUTqN CovdP0yVgEf79ydS3h7misslv4U8qg1ZoLghs2bbbBUqgfTszYlit0VZeTMcFy0MtYnj mif5Crhbe5jYLhrlTx0VB6PUelfvRMMTYYxqySE9ubVMRqg9chbriovZOkYHrSD6P74I Ha6MCwgqUOLzZ2Ia4YkXrfeOilwq5CiOp1ay5/ekk3AtnBp/ZZsREZ6x2DMpwKLrpkvN J19UmcdjWMyJY3lseAHdEUU1qC2LfLnMfKbmHlaP9fq003FTNGluPyIDd3esSw7u7LwN YyIQ== X-Forwarded-Encrypted: i=1; AJvYcCVAJPP0F74Fe/J4K7gj7MojBiWQQXM6yRdsxy+/o8sQd9DgwKioa1g14xi4rNEb+s/ffLlcCr2otI0zq9M=@vger.kernel.org X-Gm-Message-State: AOJu0YykeBoFQMrlvMxq7lZ0TIUXX9KpUeSdrg9RPym8WnDPhtSDwanQ ERDFJlZFd5l+XAJc4Twc8wTUe6xXMvuELhtxC3hE3E3TxxJJosTZyC63 X-Gm-Gg: AeBDievcGP0Ck7rYIzrPGvjoRyx5a3cEg+XtGw9oKePbGHTSPKs6dmg/KOIxVsUh8zM uIr3z/wL0iIKSAEdca6azCNKuYArjMEpworOZ67bP3net0Onq0ETtFVCjGXjKXYEzjv9dn0rxpt oPmueoFW9bI6SIMOH+W0uwHcPVOQECa1vmqVnPn3AOuxex73OGPVirSophiHu641B0zlvzdyjnP PShzwpdPaCjME2zHgDBYhvGnTskD/UuqfwoTd6mUg1IBYMdK2I9N2M5t6GuAtpx5ubzkydVi5DK UixkDwIINQPJCBlKjj/IaoDu6Yv1jNZ3shnBoNOkergEF7yifYV1GqW2E5F3jTTQDQDnMufBIYL bWL7aDNgsH2ZJ83PjB6rNPRG0N6FtUuJFFd8MszQMmuaWwiBd0awkAcr83TpZYvgAwGF+G+h7k4 oTD9nE9WD+MZSSN1FqZ0vJHO7BJ/lqutVVlXSq8KsDosSf3DYWORI= X-Received: by 2002:a05:6102:8557:20b0:605:b96a:a0d4 with SMTP id ada2fe7eead31-605b96ab4d7mr1003426137.27.1775346940957; Sat, 04 Apr 2026 16:55:40 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fbb1a0d7sm9447301241.13.2026.04.04.16.55.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 16:55:40 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald , stable@vger.kernel.org Subject: [PATCH v2] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Sun, 5 Apr 2026 00:55:22 +0100 Message-ID: <20260404235522.72483-1-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260404225752.61297-1-delenetchior1@gmail.com> References: <20260404225752.61297-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_chkmic(), datalen is computed as: datalen =3D len - hdrlen - iv_len - icv_len - 8; All operands are unsigned, so if the frame is shorter than the sum of header, IV, ICV, and MIC lengths, the subtraction wraps to a very large value. This corrupted datalen is then passed to rtw_seccalctkipmic() and used as a pointer offset, leading to out-of-bounds reads on kernel heap memory. Add a minimum frame length check before the subtraction to prevent the unsigned integer underflow. Cc: stable@vger.kernel.org Signed-off-by: Delene Tchio Romuald --- drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index f78194d50..1fc8bcf39 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada= pter, union recv_frame *p mickey =3D &stainfo->dot11tkiprxmickey.skey[0]; } =20 + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <=3D prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res =3D _FAIL; + goto exit; + } + datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_l= en - prxattrib->icv_len - 8;/* icv_len included the mic code */ pframe =3D precvframe->u.hdr.rx_data; payload =3D pframe + prxattrib->hdrlen + prxattrib->iv_len; --=20 2.43.0