Arend Van Spriel <aspriel@xxxxxxxxx> writes: > On 10/21/2022 8:57 AM, Kalle Valo wrote: >> Dokyung Song <dokyung.song@xxxxxxxxx> writes: >> >>> This patch fixes an intra-object buffer overflow in brcmfmac that occurs >>> when the device provides a 'bsscfgidx' equal to or greater than the >>> buffer size. The patch adds a check that leads to a safe failure if that >>> is the case. >>> >>> This fixes CVE-2022-3628. >>> >>> UBSAN: array-index-out-of-bounds in >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c >>> index 52 is out of range for type 'brcmf_if *[16]' > > [...] > >>> Reported-by: Dokyung Song <dokyungs@xxxxxxxxxxxx> >>> Reported-by: Jisoo Jang <jisoo.jang@xxxxxxxxxxxx> >>> Reported-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> >>> Reviewed-by: Arend van Spriel <aspriel@xxxxxxxxx> >>> Signed-off-by: Dokyung Song <dokyung.song@xxxxxxxxx> >>> --- >>> v1->v2: Addressed review comments >>> v2->v3: The subject now begins with 'wifi:' and add a reference to a CVE number >>> >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 4 ++++ >>> 1 file changed, 4 insertions(+) >> >> Please include the driver name in the subject. And we prefer use >> parenthesis with function names. So the subject should be: >> >> wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() >> >> I can fix that during commit. >> >> Should I queue this to v6.1? > > Please do. Probably good to add Cc: for stable. Should apply to older > kernels as is. Ok, I'll add that as well. > btw. is there any formal way to reference CVE. There probably isn't as > generally we don't require a CVE in kernel tree [1]. I'm not aware of any formal way to mark CVEs. If there are, please let me know :) -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
