From nobody Sun Jun 14 18:58:42 2026 Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D8B733F5BE for ; Sun, 5 Apr 2026 10:17:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384252; cv=none; b=UzlI4mSMQDWZSrIVYWeHneP8aaKXTGcEWsxD7jbBzc7KYO9MNoWkr3cv5oGcMaWaN8dgiqPsyOXoN5fCNhPAc2+Rt7Ls9lzKI0K0Ri2/Et33XnNppxl6ve3DX2SbpeL8MjyiGI3Cu9YQUufBYuDxh0nYA0lEl/FLG6kfm/IEiwE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384252; c=relaxed/simple; bh=B8QYfDSeOgxGEDorbedsncUkQOeOjsJbGsULmtil6w4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aHTg+QjM0MjKaKBtqGaH5MjxAnVway22pbRdgVhQ5Av4aZPY3NzuKxaL0vrIRndvX8k2adRQRBVg40wmcvWAToBp0wDCrpU4I6EgLVEJzqJOHb2uY0qNciIGqmddsixEfB2c2Zx+MOiOYwKl6Aj7u+Yjqk4RsPGhj3NNZWf4wN0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IKA8ewlT; arc=none smtp.client-ip=209.85.217.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IKA8ewlT" Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-6058a955e04so2089954137.0 for ; Sun, 05 Apr 2026 03:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384248; x=1775989048; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GSy6ct2enUeFQArxBAW1+GtdbKYWzb2RBJip/SzgHBQ=; b=IKA8ewlTSz6jQgLmrDlFPVUO4EGrXngH3jzGJ8gErc8M9UdcjTtdz5SRE2kb1bYBVU hCMMB9frEJ0KuSPo/OjcBABqRWt6ugetme1+8GB56nr0shpIp047kxaQADhe4dFE49q0 IUAarZBiR6dsJjTEirTVKRhIxk/w8GVo1AOaCAXA5kwza97BzrR8+fi6VDBCDe6yjV5g 8mytVp52yU6VXYXHJ/UG3/PfalssqKYiff2PCY4zBVQ6vkhTebNMmyI7gxQdmHc8WDi7 8KDZI6uQBJ34nP22yY+aC5F3QtGMbU1bDYamafBZaFqvYY15j0hWn6heI80V+ukiEIlw dluA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384248; x=1775989048; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GSy6ct2enUeFQArxBAW1+GtdbKYWzb2RBJip/SzgHBQ=; b=i9B2zcI7syAWQsoDUjqgjAgDXdcYB2ZrKN0iY9ypPGcXlouVd1k8uRIoawHp8WHdf0 hvMrReaBfTPJ32FLdJogO/CqV8g8uODzojTOPaCfKHOWOr44cGnImD62nhCG/GgoN3Fj Yo0RYL9O83Oy0doWJS96RPwYebcho/r2WpsWtkEXiKGQnoh3J6j14WXeOzGKtVk10cON msUk0XNvt7iGJzcfUpkLEFt8ZYaDCPNVfW26QmZvRxGcviGdIJYaHpl8ga1VuVVuW4np vWxg9AfEi6hvLitZtoXgCeUT+81Tk0vJIaI/1kpb5gDFVvfWlBpGHeNTLALtw1IQbx5A LT8w== X-Forwarded-Encrypted: i=1; AJvYcCXjLYMWjupJWXi/epP29tvmXYfv0C3dpe7U/+espRTA1CF4q2FcmUZz6UNdG8k/aU8wZO7Hj37MfhnBs9k=@vger.kernel.org X-Gm-Message-State: AOJu0YwecvdVojec/aeIAM+giAKc7rDkD/VgazM+7PLpaCOJLeRz0idc TmguE1k1is9fbK8xBGag6E4M3/Zq/bx93F2tkcfQOGTouaxterooc4sTdmrJ2QW7 X-Gm-Gg: AeBDiesOqteIVwdbgEl/eLvjecHewoMZLc/4BJuDfFPnmjDyqt2p7uxNLIObrsJQMNg VOElMpqtt4VKZMgdxkF4WkxrKiZaKtQYQBarIPDTzv4kYzidF0p9SlhX+p6cFh/9C6PjCaA15sG VhEc+0s0BRw68s/vMZi4uL1eOW9nq+t67URUEcjwh0NiyFf0KmwE/VkFSXyHA7slffR64B5qW06 WfrLeG7m1hb3GaLOpTPHuJA1xtQqa3MyOXTRZk5HQpHQgFJt0rpoEWy3qXxpSyBakFr6DVes5T+ LNpqF2IjI0SmbF4Jun5U6lxjZFMTbNPUyYTV6XNIuLrDjc+j+en6Nou4Cw07Q+mz+v78XtZgshr BIk+yD/3xKI11O0k5MeiLzZVoC4P7cHQZP9s8BYPgM5qcQEWX1OWhG5RCTdOavGYN5ahgGef0Ac Oz+kR54mpvXZBBeWMVuBJRkVzbh5AFNq6DG2XYotSa X-Received: by 2002:a05:6102:508a:b0:600:d0f:bacf with SMTP id ada2fe7eead31-6058a87bddamr3874571137.11.1775384248563; Sun, 05 Apr 2026 03:17:28 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:28 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Date: Sun, 5 Apr 2026 11:15:44 +0100 Message-ID: <20260405101548.124829-2-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_defrag(), a memcpy() copies fragment data into the reassembly buffer before recvframe_put() validates that the buffer has sufficient space. If the total reassembled payload exceeds the receive buffer capacity, this results in a heap buffer overflow. An attacker within WiFi radio range can exploit this by sending crafted 802.11 fragmented frames. No authentication is required. Add a bounds check before the memcpy() to verify that the fragment payload fits within the remaining buffer space, using the same error handling pattern already present in the function. Found by reviewing memory operations in the driver and tracing buffer pointer manipulation through rtw_recv.h inline helpers. Not tested on hardware. Signed-off-by: Delene Tchio Romuald Reviewed-by: Luka Gejak --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl v2: - Rebased on staging-next (v1 was based on v7.0-rc6 and did not apply) - Removed Cc: stable (will be added by maintainer) drivers/staging/rtl8723bs/core/rtw_recv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index f78194d508dfc..717e0594d983a 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1132,7 +1132,13 @@ static union recv_frame *recvframe_defrag(struct ada= pter *adapter, /* append to first fragment frame's tail (if privacy frame, pull the IC= V) */ recvframe_pull_tail(prframe, pfhdr->attrib.icv_len); =20 - /* memcpy */ + /* Verify the receiving buffer has enough space for the fragment */ + if (pnfhdr->len > (uint)(pfhdr->rx_end - pfhdr->rx_tail)) { + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; + } + memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len); =20 recvframe_put(prframe, pnfhdr->len); --=20 2.43.0 From nobody Sun Jun 14 18:58:42 2026 Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com [209.85.221.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 479B933EAED for ; Sun, 5 Apr 2026 10:17:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384254; cv=none; b=isXrTewuQw3oXc1Ybln5p5BrZFWup5+LlIJz8kIHEfw2cxC2zUC9bSj4L2GEOQ2T2CPEasVcNyQWSM692oVo272RCQvzFpo8f6roUsV5ZOBCLwC2xieG7bVtHQlBdLLRiuw/6rdPG4+Np9SmIQ2QXCLNdxM2BeXRmw7cAXEY/E4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384254; c=relaxed/simple; bh=NxncsbAdSLuMbc17VvMAI5fr/no/7/aP8bRKwl8YQsM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LbLaoqFPXEdKjTDnU9Ed48MtPCWKYjJHg370MKIHc9ts1HQ0W1gqBEDMOYnA2JbXb1stbp4AikalYXwZo/R+3smfsYxYr0lGxuKHna1W1dNafpQm6Dv0zYOyI+jpl9YOheRg+lPLTQIJCyNi54YrL2k9mQhPoz2sWz7m7puV4MU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LbjpOSNI; arc=none smtp.client-ip=209.85.221.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LbjpOSNI" Received: by mail-vk1-f174.google.com with SMTP id 71dfb90a1353d-56a8fdaddebso1025178e0c.0 for ; Sun, 05 Apr 2026 03:17:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384252; x=1775989052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aQU2SsMReRl0oD9GLJmwgm8l81dSwTvpulsnX1IecM0=; b=LbjpOSNIaJycVRoAr+CQo6p2XglLLzpre/2foVHeapsTn7aCC8yEjGZ3O+78txUH39 5dj/d0ruanyRnvetjEiJNT+9IUKldkf6kqTWfv6372yWTrFMtExHx8DRgSwj10Xki02O fgWElNw4ls8F81LKyz1o1JUigx2M5QQ77Ay+/yiDwmmdrzYmgbNY18EDpUTInnDgZmDb nRrlDyLXeWChwv5sDJXEnA/Kv32pnh5DIzRrhJV4TUVTj107j+bhFSa1VzYlfZ6/S4+g s3ldmux+xY4JdZXXzE6sE0FSKYxMAxg6OPhhcdJVqa04oA/56EO9brzfB1MUkMClWFvO x4rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384252; x=1775989052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=aQU2SsMReRl0oD9GLJmwgm8l81dSwTvpulsnX1IecM0=; b=eyA91ofvI6cNUPjREhky2vJdiGC5iQ22kTqaoRUDkxy4glY1XLtN+3eQAJfGkLQIsn H0mvIvZFg4wAFrPEWZ5Zm+cJfkUJJdHf4nnEPFBUpRlPO5RBnb7yYNF742obdX1ja0rU WfFWpikgJxuBDN1m0aQFWD0lCkFddKNkbMyQswOQ4BifqTEPEsYW09jq8/h55nn1BWDf dyz5rusQCyLV39L8FzfJ+fxdz53ALgOewEQCJR6ZxiryCogkFT/b9ofdkdPr6dRsg/pq ioXovkh6RDEryGA6NqYE1GfUWUCR6ihH1fzTGMyKlwV/yEoXtu0mlkXyUq1Rm0QXHG/g DUGg== X-Forwarded-Encrypted: i=1; AJvYcCVzOkLAZjW92M36xfgAKFDs3Lxgg8Lr+cdXl5umGHQljE00GCfekyhOVpg05osqVFE23b9ee+XMa9VBokc=@vger.kernel.org X-Gm-Message-State: AOJu0YwxfhMgYXXDF91P6OWfVcIZ7GX10+ruYsDIaEqaiZvjP2MmKn4G 0UrX9bAFGJpYlsTqWnqpE23I5jRO34jvOxArQfrxmU0M2kuwMSF7vyXNhPdDbG/Y X-Gm-Gg: AeBDietKD9xVs6SAUVgcnA495M9tRg5HLMPtV9SXBpPN7M/zixFlnIDRFEZPHjYDo2f fxGElrzy2WWGcHTFy0VSpa1M61CESE40RwCdQsvjbzN+Ad+ySLWMDsPH4xT3fRY9t7FdiCYIg0t vOFX2WJ6ypkWKe9OI06W4ms7bNDgVaidOb6z2d7Ax7lLTCmXdOKRF/prIxK0Iol6dQVstzgihpG 2DdOxlglPZojBxobCGg27MaJcloLrXv84LqTL05EmG7+CVwPgCxgyAN2ofBWUyERvlmsBGmgb5T kRBNx7JrR0hykvQQM/h80xyIl8fGiCo9KH228H7FYJem6MmMLHbI9YMDiGHwh7LDL2HZNAV9fXT FB2DUUbQ5wcEJPOWTHuorTLP9At/21CFO6ZYkCK6mtZBuJWCQm9s5bLVqDd5jFZnsI4zf1y2fPI oS82Sb/QAoJjSO494JeDYENIN4V0IvA2zhnlPtjnti X-Received: by 2002:a05:6102:5cc1:b0:602:a651:11d7 with SMTP id ada2fe7eead31-605a4ca8866mr3198854137.7.1775384252101; Sun, 05 Apr 2026 03:17:32 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:31 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Sun, 5 Apr 2026 11:15:45 +0100 Message-ID: <20260405101548.124829-3-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_chkmic(), datalen is computed as: datalen =3D len - hdrlen - iv_len - icv_len - 8; All operands are unsigned, so if the frame is shorter than the sum of header, IV, ICV, and MIC lengths, the subtraction wraps to a very large value. This corrupted datalen is then passed to rtw_seccalctkipmic() and used as a pointer offset, leading to out-of-bounds reads on kernel heap memory. Add a minimum frame length check before the subtraction to prevent the unsigned integer underflow. Found by reviewing memory operations in the driver. Not tested on hardware. Signed-off-by: Delene Tchio Romuald Reviewed-by: Luka Gejak --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl v2: - Rebased on staging-next (v1 did not apply due to whitespace changes) drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index 717e0594d983a..11ae99e53b86a 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada= pter, union recv_frame *p mickey =3D &stainfo->dot11tkiprxmickey.skey[0]; } =20 + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <=3D prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res =3D _FAIL; + goto exit; + } + datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_l= en - prxattrib->icv_len - 8;/* icv_len included the mic code */ pframe =3D precvframe->u.hdr.rx_data; payload =3D pframe + prxattrib->hdrlen + prxattrib->iv_len; --=20 2.43.0 From nobody Sun Jun 14 18:58:42 2026 Received: from mail-vk1-f178.google.com (mail-vk1-f178.google.com [209.85.221.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F074B339844 for ; Sun, 5 Apr 2026 10:17:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384258; cv=none; b=kD3Rkj7VZQCN3dmXUruiO794brOEVYJ7E7bjy+Rgm1JoWujqLhM3szh62U74oD0MuQ/U0OKuvSsTkIZ+ypr6ShXthmZSxL5iiv1G8safvHpffSCz1V8UQWWSRH5sCKI/uIZ2ln/2M/ExFRnKWPv8wT82s6Sp9PXQ7y/RM9qNll0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384258; c=relaxed/simple; bh=19jhGrr3E8Gr1+2ReOSVSp6xKLqxyJkOz7EA+S4xiyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EU5U4GHKECr0jPmzfl/MTRihPCRiOCMIlrBbYlQtcweYNORyKsHf3n1V4jw6fLezPoVfdUSwl+AvmVEY2Lm+do9GQnQ4xI2LsGSvij4nCgt+j6+yYwAuF2Hs44y4UDIj9VXvPqB7giPFGqDm/NCjfKfYyoaYEUZbXBh3YgYWIck= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QLFwV5VK; arc=none smtp.client-ip=209.85.221.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QLFwV5VK" Received: by mail-vk1-f178.google.com with SMTP id 71dfb90a1353d-56ee0e0305cso239530e0c.2 for ; Sun, 05 Apr 2026 03:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384256; x=1775989056; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4ok2bd3Ozn1hrOnl15hUH+3TlXi4iI2AZWs1/gcK7Cw=; b=QLFwV5VKlImanWzP9QXLrH5ZomFqxmp/8Nj3/4WpjK+UMIWSTB+MlnBrlhS3uOGIBD GpjHrHCvOHH3zkQtwhyYKjDVRvJKuRKNPBQnTnIs3Vww0zEJJVQEnGEYq9uUABIoPmar 0PBnUoWVcmsh+8S5p2TSKeNz7fQAgGoP3dxgSTbhEZIXFbCDqEaG79D86rk8RBvKTfRT e189IFV6iDb8E1Rgb5bDcc7RLPF0JkaEfV7atKPDyDlHRSWnNCsazLu6WAbmZi3n8IkK hJn6UjL8YhtiedNMA2029tHWYldl2IbNqCB4/ng7Hl6N0K8h7GCq10/ikU6ns18yC/s5 xJ6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384256; x=1775989056; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4ok2bd3Ozn1hrOnl15hUH+3TlXi4iI2AZWs1/gcK7Cw=; b=BjjIq2Qrksr1aovtOHLEiQu9Aanh7vGKFF6leMuWh7vFDEDB+RN0g7ocdn89o9rTeP kfbE6K0ZYcPO45k3iUoZHTl18vmNB7JpZcFENflF9PRpmSOqU6M0jrIYhcI+TaBKpzCI JGxitVCWL7ctJjeE78PWzMOt7tyD8bA0Td6NwFd21kawawXmcmLN7ZXFS092fmXpSLKX +Ls73huAoTHtX6eb+dn0AXPwJ7dZ09hQNS268XH/TldutNjKZUPqSlsjUqDTrgQi4Jpj 7J9o2mk9jV5Q6h0mX9Zq9juOQkWCGkeZ/NfzWU0RRgfYh5NliI+oBKhjfCjDQfsxTdDX bVBw== X-Forwarded-Encrypted: i=1; AJvYcCW6tsfRDqqtjqxt5jswnS2yvg+2czdVx++T3D1hGmFrv/smg360o9I74ItiSpOW0n60D/x3FBXgzXZuj4A=@vger.kernel.org X-Gm-Message-State: AOJu0YybFX2PKrFcgh/XgjZWtbXxykjcIytUSqhyd+48za0TM3Go4sgf l+S/IsDYBJiU85ExYak2v3xbjBIMd74moop+f10LY6YJIlu6oLrmkcEH X-Gm-Gg: AeBDieuujDtl0gDP5ljUjDs5CWK3SCBUQ5njMj6AjuOuTv678rLpg4XKFMU8V+CgleZ qOEADSeEcBJvP+rDPy6bYdJbCEbaju3yZPp6eECoL8fx4mtMQICELNIgyGN4JSNjN+v+F63UGGH XS2VadAyAjQnI2+z42GWdHkvXvwuMXLasVw3muKqT3sKBwQ4zECFREVc/ZUsjcrQ3SH8Fe+SqB2 Ty2iC3LzArezi17z4HrvGHDY2QpcqmBCX/+WgGLNZXWO+ZrnSdEtoEdF6dwUANW8lU6ICXX5/lu qbrDIp9X14fsq/heUVYCp/txwrRmFmT8pWML1/bb+7cDYcQuBwgWG8urAZxkM5rnukI4+jGv2d+ 3aITloqaMeRjCLqOrv+RJGgU72KrTuPfk7h8IZtA6LHnUFPGAmQWTblnr2lA9OFvZ7u9bCmRZnS fHn1/L6+UPzpmLnPtka94jfyZ3WO2zR/f0NFYwggbb X-Received: by 2002:a05:6102:4486:b0:5ff:ea33:2c7 with SMTP id ada2fe7eead31-605a50f8d00mr2525553137.24.1775384255762; Sun, 05 Apr 2026 03:17:35 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:34 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl() Date: Sun, 5 Apr 2026 11:15:46 +0100 Message-ID: <20260405101548.124829-4-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In portctrl(), the pointer is advanced by hdrlen + iv_len + LLC_HEADER_LENGTH and then 2 bytes are read via memcpy() to extract the ether_type field. There is no check that the frame is large enough to contain these fields, so a short frame leads to an out-of-bounds read on kernel heap memory. This code is reachable during 802.1X authentication when the station is in the ieee8021x_blocked state. Add a frame length check before the pointer arithmetic and wrap the existing ether_type extraction in the else branch so that short frames are dropped safely. Found by reviewing memory operations in the driver. Not tested on hardware. Signed-off-by: Delene Tchio Romuald Reviewed-by: Luka Gejak --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl v2: - Rebased on staging-next drivers/staging/rtl8723bs/core/rtw_recv.c | 28 +++++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index 11ae99e53b86a..8e38cb9791755 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -539,17 +539,25 @@ static union recv_frame *portctrl(struct adapter *ada= pter, union recv_frame *pre =20 prtnframe =3D precv_frame; =20 - /* get ether_type */ - ptr =3D ptr + pfhdr->attrib.hdrlen + pfhdr->attrib.iv_len + LLC_HEADER_= LENGTH; - memcpy(&be_tmp, ptr, 2); - ether_type =3D ntohs(be_tmp); - - if (ether_type =3D=3D eapol_type) - prtnframe =3D precv_frame; - else { - /* free this frame */ - rtw_free_recvframe(precv_frame, &adapter->recvpriv.free_recv_queue); + /* Ensure frame has LLC header and ether_type */ + if (pfhdr->len < pattrib->hdrlen + + pattrib->iv_len + LLC_HEADER_LENGTH + 2) { + rtw_free_recvframe(precv_frame, + &adapter->recvpriv.free_recv_queue); prtnframe =3D NULL; + } else { + /* get ether_type */ + ptr +=3D pattrib->hdrlen + + pattrib->iv_len + + LLC_HEADER_LENGTH; + memcpy(&be_tmp, ptr, 2); + ether_type =3D ntohs(be_tmp); + + if (ether_type !=3D eapol_type) { + rtw_free_recvframe(precv_frame, + &adapter->recvpriv.free_recv_queue); + prtnframe =3D NULL; + } } } else { /* allowed */ --=20 2.43.0 From nobody Sun Jun 14 18:58:42 2026 Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com [209.85.221.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DAB9339844 for ; Sun, 5 Apr 2026 10:17:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384262; cv=none; b=aakZMj1eutikfoPg8we8pDGJGHKLagWku/qOAi2Q9RzLNJr8HIw8IxfeJR6ZKwqmd19WuLuZPUS9PYUdjc9IQOskhibY6olOss/dgZ+6xl0OJev9vjaEf9prmOxLsRamqc9yZxeFf6gKBgO2QysAOb+18QBAPkr0zsVOimBUq8A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384262; c=relaxed/simple; bh=yfx6lPvgGD1BjXJbwxifAAQq3rRl0uxOfdzToGyIlaw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jvl0mVOliRwUJBOfGdm5fRu2B1SSVNmwfSkpBw/FKgpBohZbHUEQx30N7mUjMykGXaDDptf1P8e0/UjzofnsYQdyGmQxS5kkMTgfF0XKD672s/ateQMpce22b/jN50xKlsJ4xge1h64/XtZy7zQHS3GeexNzM0OATws56SiFVoc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NGCK02gr; arc=none smtp.client-ip=209.85.221.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NGCK02gr" Received: by mail-vk1-f174.google.com with SMTP id 71dfb90a1353d-56b8804f37cso1233613e0c.3 for ; Sun, 05 Apr 2026 03:17:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384260; x=1775989060; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iC79OkyMhpMLObAOX6AAjV7rcE6Oha7GoNELSHflFk4=; b=NGCK02gr0XAFMGq9Nr8puSD7sHIj/HnaPMK3jkEQvLcHRUKQtGLvhl2wIaF3XiIVJH jKhqA1FbBKtPjqcWobwBg7Pi2ATFjCB++sHWxRR3VBIA79fLUvc+5CkdTdbufRn9a+ds hI5E+jaMXrCSl9JcGwuKPPHzl4eZh7mEsuwjBY7rn+u5gGw1cvWQU5ufDh4rr4kl5vVc GPB2KnSqXdYXyypaHaJbsXU+ooNtLE8kxT+pY2O6bZyn84FHpKfpRN7qmz3LfqGPPyGQ io1hpefeXODz91IXWJytVdotRqgM8kar7T1dE4JHKQ5jNYv519KWibyvGhyb5460m3G1 f2KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384260; x=1775989060; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iC79OkyMhpMLObAOX6AAjV7rcE6Oha7GoNELSHflFk4=; b=s70b5Qt+ym3uFIxSTGd4qQdB5Z541g0zky37Pq/h8ODWMy0owiMOeMukB9wkn081h+ Oypdg+8uV+hIxMXBc22JqLPmsGZLd6pfmug/33nBkhS8xMcfiCBa+586IAUsQL5eHPVV JkJbezIwq3jNaICqNKjVg+GjkqkqJIB4RmjPBUsfHgBuDQYvSjX7YPYb9lnA8SZTBqnU MbJ19D02n/uQeI7EFpBjL+HlJwpSLKEwDgxtbKMjr6o0De2lyVTyTWE+TwKJ+zxYOk8l y2uUfFSmR33qVCPBH1NUSoN5ULjEmkiCPxawD0qdZeb/A9+YOy90xiiZqcdgxSJxtKkX B4HA== X-Forwarded-Encrypted: i=1; AJvYcCV38LA2+rUbeav1mrmOnwPch9k/D0Nh6be1J6X0yE6tJkh8ZalO3IU8COeBBkEUo5bWsPKHYgV/vTx6Izw=@vger.kernel.org X-Gm-Message-State: AOJu0YxGhUD3l3ATtvKuMiLePHLzrEHK7TKF9OLE4ibX/YN1avjhQ+qA wcRc4h6BugmkmSioxq/+JGuSkdePAR3KNDvqfnmhknb+mzMfTyO9UCDj X-Gm-Gg: AeBDietRDo/DBln2GejGN/S1Su0d1PF7XqmoG4D8/9Bz0SRJA13xxoV2mdFoVDePNQn u5XeWARlNPV46ctsN5vUfn3Uatos81XYQT7UaNr/CdX+0kcLRjifYhKS5iT1x2Fk+8DOPXF6mv6 3SRGYfHHO4cm6y/sp8VA4HZSjpJgUEGeFGWBneoxBb2OLHKPSaSTg6nFemM8I6gH7RUqgJAoqd8 qn6qb1iIWkrk1aI2bTDTlfONQZv2QY5+JepMC9i6+7T3u7JSwW7XgfPWoUNoh2JCeIvn0PGqecC a0bbqLnOTd7dJU4pAZO1P5Y5FgvCgDvOL6XjAMO3polHOZL+mdXxGrBkZGMUbhI39p4GTJmJ0tC BTEpxhzyjB6t8fB23VqWxJvhxiOPTxOdTuqa1N9yXd6A+tXDNeYLdt6ZDjByFiL/twLAY64l+YH IMFF5zkLhUcwbuXCzzhY0c5hwn8BStgZIhpolPbuqc X-Received: by 2002:a05:6102:9d7:b0:5ff:ba2d:17a6 with SMTP id ada2fe7eead31-605a48923f3mr2888675137.0.1775384260395; Sun, 05 Apr 2026 03:17:40 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:39 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Date: Sun, 5 Apr 2026 11:15:47 +0100 Message-ID: <20260405101548.124829-5-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loops in rtw_get_wapi_ie(), rtw_get_sec_ie(), and rtw_get_wps_ie() check only that the element ID byte is within bounds (cnt < in_len), but then immediately access the length byte at in_ie[cnt+1] and data bytes at in_ie[cnt+2] and beyond without verifying that these offsets are within the buffer. A malicious access point can send beacon or probe response frames with truncated Information Elements, triggering out-of-bounds reads on kernel heap memory. No authentication is required. Add two bounds checks to each function: - Ensure at least 2 bytes remain for the IE header (cnt + 1 < in_len) - Validate the full IE fits in the buffer before accessing its data (cnt + 2 + ie_len <=3D in_len) Found by reviewing memory operations in the driver. Not tested on hardware. Signed-off-by: Delene Tchio Romuald Reviewed-by: Luka Gejak --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl v2: - Rebased on staging-next (v1 did not apply due to code reformatting) drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi= ng/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd471..e0fed3f42de0c 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -582,9 +582,12 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_i= e, u16 *wapi_len) =20 cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY && (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { @@ -615,9 +618,12 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie= , u16 *rsn_len, u8 *wpa_ie =20 cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { if (wpa_ie) @@ -658,9 +664,12 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie,= uint *wps_ielen) =20 cnt =3D 0; =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { eid =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w= ps_oui, 4))) { wpsie_ptr =3D &in_ie[cnt]; =20 --=20 2.43.0 From nobody Sun Jun 14 18:58:42 2026 Received: from mail-vk1-f176.google.com (mail-vk1-f176.google.com [209.85.221.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AA8C339844 for ; Sun, 5 Apr 2026 10:17:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384269; cv=none; b=aNehxpuoAtmb0sJ85UXdboubhq7czIXAY8uI1EaFksZi9gpj+DGNJW+pvPn40VQLNaX6C9T7LU/niO9FIZNTOKPM2Utlzicmj6SqU22PIHvF1ba4TtTAeBBCG31F0goW3lsigythbWQhC066zyaG65Y5XYfKyErcCSuC97F1Di8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384269; c=relaxed/simple; bh=WvXwoqID+W+qQF7PnB69MiuKzHz4ZGK/2zS7Kb1WCJA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WPLKBngOgYoe2fNMmmh0Zd5VM2briVQCJNS9++FiWltnUgaHqcIG1qsvGCt6bv5QHAXcI0CaJspeMkgniAbaODZYWPlmewxdUtCc05Y4oEjPfHD6pipl2fFwWQuQ/w7dZhH1ccS3dqOb+/wzboscmN7KGj8N73y8Zb/OJroStls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gRzRN264; arc=none smtp.client-ip=209.85.221.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gRzRN264" Received: by mail-vk1-f176.google.com with SMTP id 71dfb90a1353d-56a9076813bso1308641e0c.3 for ; Sun, 05 Apr 2026 03:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384265; x=1775989065; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4n5p+dCyDkNnPBsGngHUJndKG7h0qsW6y+KF0M7NEV8=; b=gRzRN2644Hguj3eiEbLvGHmaC3BjvL0B+8hkZCF6Ac+59QpyLpoTxsukmzyawuS8mw l5dZTxaZ0n3xkapQnAAtosSXsaYIyr9hOvegF8B+FU46g/ZwSVq9c+tkfQhZh67YSZQu 9KnzI2ljV70wnRYjowKpw6eF1z3372C2tapCJp+Xp1HAhABMwsk645N/NdgYpephhuBL F4oc/eyBO27Xyp+IkJbUmhCUp+QMwI1GmaiJaUKICGFX7OjOHVistxQwRuk5qd6V4Rka lh0grhQfCCsVm7VoSBu5bsKm9nb0xBpYtxsL6lGXj4ofnax2uLrn5JMfH9LD1GGwuIpW 1XSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384265; x=1775989065; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4n5p+dCyDkNnPBsGngHUJndKG7h0qsW6y+KF0M7NEV8=; b=P0JuIR15BXmHFAPVcOVGCIGXsSCN3czdG/cvmBfRSOBm0or4dZLiaABOHJLMu7kKI2 YkfNzVaGU41sQDlTKPJDXkrMFDfF2pAAOVTnLR49SAhUxZx3OWYWJ+mEu0PJt/poUZVD ORVLbBjsVBzskOjThPyViXx1DylOiuwfAkbTO7IXYKPDCa820hSCkxcmXOG/eYrhuPVl P/vdZVo2EALdgV5mlENwqKAP13tbQjAUlEGOf0fZwB0qout8cpQhJ+95dZ9kx0PW1je/ Q9OV0zjtwtPMw7TrIGKp3/ZjwYjLVHftdkBtacLE5zG/En+1A1ecTfnY6+jtKMVACMwz sIPA== X-Forwarded-Encrypted: i=1; AJvYcCVkT1f92ahYp3zJf/d3hwnGORk9mMJUImRw+5PLnldDoiHtHU9JGEWTJcFEgbkgqolcnyo6sjNm2JchsNo=@vger.kernel.org X-Gm-Message-State: AOJu0YxsUL3aoaZWCJDfn8osocV1y9R4hZMeYEPyPwV/mSnD1sJSTbzr eZW1XMGE+NaMWjeHS9spGDpUigJX7xJhocJeXFXkXt6nAg3Z4dB6LgSW X-Gm-Gg: AeBDieutvaAVP34T6nJtOoLxT86sFx+Lh06qeH04J8CytlnEe18b9gqn3IpoKv0O+aS XHLEvYQDIlbu4jT8MquGyhjD9rLLKIo8TtOJPWPGtawK3Ah5r855hvNBexOrr20kb9sWkIMXKl8 YlKy/othny2yRFcRgwxKsbQf1h28zGx6O7KHW8tH5Q2D0VQr2ABPpymmNPlsignYUwEHLTpZRUy 0Lt2COgNmzl98k6v/jxAqnxkMOXGBd4WR/MTt7yQF1QjmMqcenYqGjSCmu7rJ2B0TX8N7pPL7T6 X9G1JSRLW4xhBmsMhlqiq59yYvJPCl0urV5yL4hGqrjhtWgPejjDSo0HOjTdqlgBHku1PW1EcEw pqXqiB3O8q7McH0xIZn03m+Gr1GzRbENypxWNGB0gq0nWTxwzlk/bmNsFXzh2+OArK8MHZUiAl9 It17ehBHRzu74Q62I6ReDyw1nCtleogyEvZzs1WoUy X-Received: by 2002:a05:6102:4a88:b0:605:38d2:26d1 with SMTP id ada2fe7eead31-605a4f65a2dmr3497198137.15.1775384265193; Sun, 05 Apr 2026 03:17:45 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:44 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 5/5] staging: rtl8723bs: fix negative length in WEP decryption Date: Sun, 5 Apr 2026 11:15:48 +0100 Message-ID: <20260405101548.124829-6-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In rtw_wep_decrypt(), length is declared as signed int and computed as: length =3D len - hdrlen - iv_len; If the received frame is shorter than the combined header and IV lengths, length becomes negative. It is then passed to arc4_crypt() which takes a u32 parameter, causing the negative value to be implicitly cast to a very large unsigned value (e.g., -8 becomes 4294967288). This results in a massive out-of-bounds read and write on the heap via arc4_crypt(), and a similar overflow at the subsequent crc32_le() call using length - 4. Add a minimum frame length check before the subtraction to ensure length is always positive. Found by reviewing memory operations in the driver. Not tested on hardware. Signed-off-by: Delene Tchio Romuald Reviewed-by: Luka Gejak --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/stagin= g/rtl8723bs/core/rtw_security.c index a00504ff29109..f3bc2240749a4 100644 --- a/drivers/staging/rtl8723bs/core/rtw_security.c +++ b/drivers/staging/rtl8723bs/core/rtw_security.c @@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *pr= ecvframe) memcpy(&wepkey[0], iv, 3); /* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11Pr= ivacyKeyIndex].skey[0], keylength); */ memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylen= gth); + + /* Ensure the frame is long enough for WEP decryption */ + if (((union recv_frame *)precvframe)->u.hdr.len <=3D + prxattrib->hdrlen + prxattrib->iv_len) + return; + length =3D ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrl= en - prxattrib->iv_len; =20 payload =3D pframe + prxattrib->iv_len + prxattrib->hdrlen; --=20 2.43.0