lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 6 Oct 2023 15:37:40 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Igor Artemiev <Igor.A.Artemiev@...t.ru>
Cc:     Larry Finger <Larry.Finger@...inger.net>,
        Florian Schilhabel <florian.c.schilhabel@...glemail.com>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
        lvc-project@...uxtesting.org
Subject: Re: [lvc-project] [PATCH] staging: rtl8712: fix buffer overflow in
 r8712_xmitframe_complete()

On Tue, Sep 19, 2023 at 12:23:18PM +0300, Igor Artemiev wrote:
> The value of pxmitframe->attrib.priority in r8712_issue_addbareq_cmd(),
> which dump_xframe() calls, is used to calculate the index for accessing 
> an array of size 16. The value of pxmitframe->attrib.priority can be 
> greater than 15, because the r8712_update_attrib() function can write 
> a value up to 31 to attrib.priority, and r8712_xmitframe_complete() 
> checks that pxmitframe->attrib.priority is less than 16 before 
> calling r8712_xmitframe_coalesce().

But that number comes from the hardware, so how can it ever be larger
than 15?

> Found by Linux Verification Center (linuxtesting.org) with SVACE.

How was this tested to verify that it can be triggered and that this
change solves anything?

You have read the kernel documentation for what is required when using
"research tools" like this, right?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ