| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210918134024.23837-1-martin@kaiser.cx>
Date: Sat, 18 Sep 2021 15:40:24 +0200
From: Martin Kaiser <martin@...ser.cx>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Larry Finger <Larry.Finger@...inger.net>,
Phillip Potter <phil@...lpotter.co.uk>,
Michael Straube <straube.linux@...il.com>,
linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
Martin Kaiser <martin@...ser.cx>
Subject: [PATCH] staging: r8188eu: do not write past the end of an array
Commit f7b687d6b67e ("staging: r8188eu: remove NumTotalRFPath from struct
hal_data_8188e") removed a for loop around a block of code that is executed
only once when i == 0. However, without the for loop, i will never be set
to 0 before the code block is executed. i remains at 2, which is the final
value after the previous loop. This results in a write past the end of the
powerlevel and MCSBase arrays.
[ 28.480809] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu]
[ 28.493752] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu] ]---
Fix this by replacing i with 0 in the code block that used to be the body of
the loop. While at it, remove the powerlevel array that was just holding a
temporary value.
Tested with Edimax EW-7811Un V2 on an ARM32 embedded system.
Fixes: f7b687d6b67e ("staging: r8188eu: remove NumTotalRFPath from struct hal_data_8188e")
Signed-off-by: Martin Kaiser <martin@...ser.cx>
---
drivers/staging/r8188eu/hal/rtl8188e_rf6052.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c b/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c
index 2f16c0966973..b334864feffd 100644
--- a/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c
+++ b/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c
@@ -227,7 +227,7 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM,
{
struct hal_data_8188e *pHalData = GET_HAL_DATA(Adapter);
u32 powerBase0, powerBase1;
- u8 i, powerlevel[2];
+ u8 i;
for (i = 0; i < 2; i++) {
powerBase0 = pPowerLevelOFDM[i];
@@ -238,12 +238,11 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM,
/* Check HT20 to HT40 diff */
if (pHalData->CurrentChannelBW == HT_CHANNEL_WIDTH_20)
- powerlevel[i] = pPowerLevelBW20[i];
+ powerBase1 = pPowerLevelBW20[0];
else
- powerlevel[i] = pPowerLevelBW40[i];
- powerBase1 = powerlevel[i];
+ powerBase1 = pPowerLevelBW40[0];
powerBase1 = (powerBase1 << 24) | (powerBase1 << 16) | (powerBase1 << 8) | powerBase1;
- *(MCSBase + i) = powerBase1;
+ *MCSBase = powerBase1;
}
static void get_rx_power_val_by_reg(struct adapter *Adapter, u8 Channel,
--
2.20.1
Powered by blists - more mailing lists