| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <582b5bc4c4434934838ae28d77b7f73a@realtek.com>
Date: Tue, 27 May 2025 07:38:17 +0000
From: Zong-Zhe Yang <kevin_yang@...ltek.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
CC: Ping-Ke Shih <pkshih@...ltek.com>,
"linux-wireless@...r.kernel.org"
<linux-wireless@...r.kernel.org>,
"linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>,
"kernel-janitors@...r.kernel.org"
<kernel-janitors@...r.kernel.org>
Subject: RE: [PATCH next] wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch()
Dan Carpenter <dan.carpenter@...aro.org> wrote:
>
> The "link_id" value comes from the user via debugfs. If it's larger than BITS_PER_LONG then
> that would result in shift wrapping and potentially an out of bounds access later. Fortunately,
> only root can write to debugfs files so the security impact is minimal.
>
Thank you for catching this problem.
>
> [...]
>
> @@ -5239,6 +5239,9 @@ int rtw89_core_mlsr_switch(struct rtw89_dev *rtwdev, struct
> rtw89_vif *rtwvif,
> if (unlikely(!ieee80211_vif_is_mld(vif)))
> return -EOPNOTSUPP;
>
> + if (unlikely(link_id >= BITS_PER_LONG))
> + return -EINVAL;
> +
Since I think this problem only comes from dbgfs path, would you like to just add a check in debug.c ?
For example,
(based on 0 <= valid link id < IEEE80211_MLD_MAX_NUM_LINKS < BITS_PER_LONG)
rtw89_debug_priv_mlo_mode_set(...)
{
...
switch (mlo_mode) {
case RTW89_MLO_MODE_MLSR:
if (argv >= IEEE80211_MLD_MAX_NUM_LINKS)
return -EINVAL;
...
> if (unlikely(!(usable_links & BIT(link_id)))) {
> rtw89_warn(rtwdev, "%s: link id %u is not usable\n", __func__,
> link_id);
> --
> 2.47.2
Powered by blists - more mailing lists