On 10/21/2022 8:57 AM, Kalle Valo wrote:
Dokyung Song <dokyung.song@xxxxxxxxx> writes:
This patch fixes an intra-object buffer overflow in brcmfmac that occurs
when the device provides a 'bsscfgidx' equal to or greater than the
buffer size. The patch adds a check that leads to a safe failure if that
is the case.
This fixes CVE-2022-3628.
UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 52 is out of range for type 'brcmf_if *[16]'
[...]
Reported-by: Dokyung Song <dokyungs@xxxxxxxxxxxx>
Reported-by: Jisoo Jang <jisoo.jang@xxxxxxxxxxxx>
Reported-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
Reviewed-by: Arend van Spriel <aspriel@xxxxxxxxx>
Signed-off-by: Dokyung Song <dokyung.song@xxxxxxxxx>
---
v1->v2: Addressed review comments
v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++
1 file changed, 4 insertions(+)
Please include the driver name in the subject. And we prefer use
parenthesis with function names. So the subject should be:
wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
I can fix that during commit.
Should I queue this to v6.1?
Please do. Probably good to add Cc: for stable. Should apply to older
kernels as is.
btw. is there any formal way to reference CVE. There probably isn't as
generally we don't require a CVE in kernel tree [1].
Regards,
Arend
[1] https://docs.kernel.org/admin-guide/security-bugs.html
