From owner-freebsd-wireless@freebsd.org  Sun Mar 21 14:18:03 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D93F2576DDB
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3KV35cShz3CMQ
 for <freebsd-wireless@freebsd.org>; Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id C0B76576DDA; Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C084F577301
 for <wireless@mailman.nyi.freebsd.org>; Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3KV351hrz3C8J
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9F9121C1BC
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 14:18:03 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12LEI3XU067739
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 14:18:03 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12LEI3S9067738
 for wireless@FreeBSD.org; Sun, 21 Mar 2021 14:18:03 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 248235] rtw88: RTL8822CE 802.11ac PCIe support
Date: Sun, 21 Mar 2021 14:18:03 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: 12.1-STABLE
X-Bugzilla-Keywords: feature, needs-patch
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: sp6ina@pzk.pl
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: Normal
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: mfc-stable12?
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-248235-21060-vGUfPsOXXJ@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-248235-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-248235-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 14:18:03 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248235

Mariusz <sp6ina@pzk.pl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sp6ina@pzk.pl

--- Comment #4 from Mariusz <sp6ina@pzk.pl> ---
Hi. Is there any progress on the driver?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Sun Mar 21 21:00:21 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6D2C25AC730
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Sun, 21 Mar 2021 21:00:21 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3VQD5wt8z4R1X
 for <freebsd-wireless@freebsd.org>; Sun, 21 Mar 2021 21:00:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 9A09B5AC470; Sun, 21 Mar 2021 21:00:20 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9352E5AC62A
 for <wireless@mailman.nyi.freebsd.org>; Sun, 21 Mar 2021 21:00:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3VQD15xjz4R6Q
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 21:00:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0525321888
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 21:00:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12LL0JKk074139
 for <wireless@FreeBSD.org>; Sun, 21 Mar 2021 21:00:19 GMT
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: (from bugzilla@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12LL0JdI074138
 for wireless@FreeBSD.org; Sun, 21 Mar 2021 21:00:19 GMT
 (envelope-from bugzilla-noreply@FreeBSD.org)
Message-Id: <202103212100.12LL0JdI074138@kenobi.freebsd.org>
X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to
 bugzilla-noreply@FreeBSD.org using -f
From: bugzilla-noreply@FreeBSD.org
To: wireless@FreeBSD.org
Subject: Problem reports for wireless@FreeBSD.org that need special attention
Date: Sun, 21 Mar 2021 21:00:19 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 21:00:21 -0000

To view an individual PR, use:
  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id).

The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
New         |    237921 | wpi: Memory leak in function wpi_free_tx_ring of  
Open        |    154598 | [ath] Atheros 5424/2424 can't connect to WPA netw 
Open        |    236918 | Crash: in iwn_ampdu_tx_stop (or ieee80211_ht_node 
Open        |    238636 | ath: Fix kernel addresses printed in if_ath_sysct 
Open        |    240776 | iwm: Can't find wifi networks after short time si 

5 problems total for which you should take action.

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:15:33 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9CA3F5B01C1
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3xNj3XfVz3jjT
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 764315AFF5E; Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 75F375AFF5C
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3xNj2fB6z3jjS
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3FC2573A9
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:15:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MEFXjT001860
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:15:33 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MEFXcG001859
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:15:33 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Date: Mon, 22 Mar 2021 14:15:33 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cutesmilee.business@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:15:33 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

            Bug ID: 254479
           Summary: Kernel remote heap overflow in Realtek
                    RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: cutesmilee.business@gmail.com

rsu_raw_xmit() in the last if statement calls rsu_tx_start(), taking a
user-controlled mbuf as parameter.
at the end of the function m_copydata() is called, and it copies the
user-controlled mbuf with the length of the packet / the length of the mbuf
(which isn't checked), the smaller size is taken (the user can provide a big
payload), and the mbuf gets copied to the TX Descriptor struct (struct
r92s_tx_desc) which is 32 bytes.
these vulnerabilities are only for Realtek RTL8188SU/RTL8191SU/RTL8192SU wi=
fi
cards (that are connected via USB?).

vulnerable code:

static int
rsu_tx_start(struct rsu_softc *sc, struct ieee80211_node *ni,=20
    struct mbuf *m0, struct rsu_data *data)
{
        struct ieee80211vap *vap =3D ni->ni_vap;
        struct ieee80211_frame *wh;
        struct ieee80211_key *k =3D NULL;
        struct r92s_tx_desc *txd;
        uint8_t type;
        int prio =3D 0;
        uint8_t which;
        int hasqos;
        int xferlen;
        int qid;

        [...]

        xferlen =3D sizeof(*txd) + m0->m_pkthdr.len;
        m_copydata(m0, 0, m0->m_pkthdr.len, (caddr_t)&txd[1]); // <- heap
overflow here

        data->buflen =3D xferlen;
        data->ni =3D ni;
        data->m =3D m0;
        STAILQ_INSERT_TAIL(&sc->sc_tx_pending[which], data, next);

        /* start transfer, if any */
        usbd_transfer_start(sc->sc_xfer[which]);
        return (0);
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:27:51 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 063375B0B21
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:27:51 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3xft6ZPGz3khJ
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:27:50 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id DFE125B07D8; Mon, 22 Mar 2021 14:27:50 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DFADA5B0876
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:27:50 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3xft5xTJz3kSH
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:27:50 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BE695748E
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:27:50 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MERoRm009315
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:27:50 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MERobx009314
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:27:50 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Date: Mon, 22 Mar 2021 14:27:51 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: alias
Message-ID: <bug-254479-21060-rHyKWggxmJ@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:27:51 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Tommaso <cutesmilee.research@protonmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |RSU, overflow

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:28:06 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 129655B0963
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:28:06 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3xg96xWYz3kSR
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:28:05 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id EE37E5B0962; Mon, 22 Mar 2021 14:28:05 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EE0045B0B27
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:28:05 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3xg96K7Hz3kVv
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:05 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CC1F576A4
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:05 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MES5cP009381
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:05 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MES5fA009380
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:28:05 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Date: Mon, 22 Mar 2021 14:28:06 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: alias
Message-ID: <bug-254479-21060-tWbh5rkFWc@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:28:06 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Tommaso <cutesmilee.research@protonmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|overflow                    |

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:28:13 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 784E85B0C91
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3xgK2gdGz3ksj
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 5BD185B087C; Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5BA235B0C90
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3xgK1zz8z3kkM
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 376B271E0
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:13 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MESDLB009417
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:28:13 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MESDAm009416
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:28:13 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Date: Mon, 22 Mar 2021 14:28:13 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: alias
Message-ID: <bug-254479-21060-0pNywCz0gx@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:28:13 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Tommaso <cutesmilee.research@protonmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|RSU                         |

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:44:57 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id AEC0E5B132A
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3y2d4Mjdz3mCQ
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 942935B148B; Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 93F6B5B1329
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3y2d3fgNz3mMW
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 70BAB75F3
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:44:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MEivDH018059
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:44:57 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MEiv99018058
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:44:57 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 14:44:57 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: short_desc
Message-ID: <bug-254479-21060-PDGDHcwpi2@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:44:57 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Tommaso <cutesmilee.research@protonmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Kernel remote heap overflow |Kernel remote heap overflow
                   |in Realtek                  |in Realtek
                   |RTL8188SU/RTL8191SU/RTL8192 |RTL8188SU/RTL8191SU/RTL8192
                   |SU Wifi Cards driver        |SU Wifi Cards USB driver

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:50:45 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C6595B16BF
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3y9K2RFgz3mcF
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 517755B1644; Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 514275B1813
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3y9K1kwWz3mWV
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2EC5C75FC
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:50:45 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MEoj05019456
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:50:45 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MEojw0019455
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:50:45 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 14:50:45 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: adrian@freebsd.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_severity cc bug_status
Message-ID: <bug-254479-21060-a4uOvJFfgA@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:50:45 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Adrian Chadd <adrian@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Affects Some People         |Affects Many People
                 CC|                            |adrian@freebsd.org
             Status|New                         |Open

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 14:51:37 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 13B1D5B1655
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 14:51:37 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yBJ6wt2z3mpL
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 14:51:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id EDB695B157D; Mon, 22 Mar 2021 14:51:36 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED72E5B16CE
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 14:51:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yBJ6GzVz3mhr
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:51:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CA60B7875
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:51:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MEpaNW021259
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 14:51:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MEpad5021258
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 14:51:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 14:51:37 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: markj@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-XK3KlSoh68@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:51:37 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #1 from Mark Johnston <markj@FreeBSD.org> ---
Was this analysis based on a crash you hit, or the output of some static
analysis?  It is copying the mbuf contents into a buffer of size RSU_TXBUFS=
Z,
not of size sizeof(struct r92s_tx_desc).

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 15:00:54 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 430C35B1943
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yP21FNbz3nBh
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 2AC575B1942; Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2A93F5B173E
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yP20fvXz3n0c
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 099C17A3B
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:00:54 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MF0rpc027604
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:00:53 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MF0rVC027603
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 15:00:53 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 15:00:54 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-6evBSnhOvz@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 15:00:54 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #2 from Tommaso <cutesmilee.research@protonmail.com> ---
(In reply to Mark Johnston from comment #1)
oh, haven't noticed that, this was found by static analysis, also i don't k=
now
if it can cause an issue, but i've noticed that in the same function, while
other if statements that call m_freem() are locked, the first one isn't.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 15:07:34 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6AA785B1B3C
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yXk2Bh5z3nbc
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 4AEC65B1E17; Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4A70C5B1A7F
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yXk1Kkbz3nnt
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 06EC17E41
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:07:34 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MF7XMa029647
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:07:33 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MF7XCU029646
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 15:07:33 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 15:07:34 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-1Ct3QqKtQJ@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 15:07:34 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #3 from Tommaso <cutesmilee.research@protonmail.com> ---
(In reply to Tommaso from comment #2)
looking at other implementation of rum_raw_xmit() in other drivers, seems l=
ike
a lock should be taken, since all of the take one / make sure sc is locked.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 15:20:36 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 90B285B2518
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yqm3VRFz3pkV
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 764565B2517; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 760F75B24AE
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yqm2rR0z3q0q
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4B4067FEA
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MFKadO035676
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MFKaIJ035675
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 15:20:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 15:20:36 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-j3WQzGpEA6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 15:20:36 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #4 from Tommaso <cutesmilee.research@protonmail.com> ---
(In reply to Tommaso from comment #3)
static int=20=20=20=20=20=20
rsu_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,=20
    const struct ieee80211_bpf_params *params)
{
        struct ieee80211com *ic =3D ni->ni_ic;
        struct rsu_softc *sc =3D ic->ic_softc;
        struct rsu_data *bf;

        /* prevent management frames from being sent if we're not ready */
        if (!sc->sc_running) { // no lock is taken
                m_freem(m);
                return (ENETDOWN);
        }
        RSU_LOCK(sc); // locks=20
        bf =3D rsu_getbuf(sc);
        if (bf =3D=3D NULL) {
                m_freem(m);
                RSU_UNLOCK(sc); // unlocks only after the if and the free
                return (ENOBUFS);
        }
        if (rsu_tx_start(sc, ni, m, bf) !=3D 0) {
                m_freem(m);
                rsu_freebuf(sc, bf);
                RSU_UNLOCK(sc); // same here
                return (EIO);
        }
        RSU_UNLOCK(sc); // unlocks if no error occurred

        return (0);
}

for example in rum driver a lock is taken:

static int
rum_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
    const struct ieee80211_bpf_params *params)
{
        struct rum_softc *sc =3D ni->ni_ic->ic_softc;
        int ret;

        RUM_LOCK(sc); // lock taken before checking sc_running value
        /* prevent management frames from being sent if we're not ready */
        if (!sc->sc_running) {
                ret =3D ENETDOWN;
                goto bad;
        }
        if (sc->tx_nfree < RUM_TX_MINFREE) {
                ret =3D EIO;
                goto bad;
        }

        if (params =3D=3D NULL) {
                /*
                 * Legacy path; interpret frame contents to decide
                 * precisely how to send the frame.
                 */
                if ((ret =3D rum_tx_mgt(sc, m, ni)) !=3D 0)
                        goto bad;
        } else {
                /*
                 * Caller supplied explicit parameters to use in
                 * sending the frame.
                 */
                if ((ret =3D rum_tx_raw(sc, m, ni, params)) !=3D 0)
                        goto bad;
        }
        RUM_UNLOCK(sc);

        return 0;
bad:
        RUM_UNLOCK(sc);
        m_freem(m);
        return ret;
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 15:26:32 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D84895B2A24
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yyc5bjPz3qbk
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id BDA045B28B8; Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BD63F5B2AA2
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yyc4lHKz3qY1
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 91C107FFD
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:26:32 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MFQWcF038178
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:26:32 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MFQWu8038177
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 15:26:32 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 15:26:32 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: markj@FreeBSD.org
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: Not A Bug
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc bug_status resolution
Message-ID: <bug-254479-21060-XT5SEdYnzt@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 15:26:32 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markj@FreeBSD.org
             Status|Open                        |Closed
         Resolution|---                         |Not A Bug

--- Comment #5 from Mark Johnston <markj@FreeBSD.org> ---
Whether the lock is held doesn't really matter.  At this point the driver o=
wns
the mbuf.  The lock only protects driver state, so if, say, it updates a
descriptor to point to the mbuf buffer, we'd want to ensure that the pointe=
r is
cleared before the mbuf is freed or handed off to other layers.  But the ac=
tual
m_freem() call does not require any synchronization.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

From owner-freebsd-wireless@freebsd.org  Mon Mar 22 18:36:29 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 200C45B816C
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 18:36:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F439n0DLRz4bGD
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 18:36:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 078885B816B; Mon, 22 Mar 2021 18:36:29 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 074CF5B82B4
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 18:36:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F439m6kb9z4bPH
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 18:36:28 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DA32C12CA8
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 18:36:28 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MIaSks036787
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 18:36:28 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from bugzilla@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MIaShL036786
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 18:36:28 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 18:36:28 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: commit-hook@FreeBSD.org
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: Not A Bug
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-T3UzQ8vNhC@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 18:36:29 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #6 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=3D453d8a7ee2fc862f3a5e98185d57c8ad0=
5cbc047

commit 453d8a7ee2fc862f3a5e98185d57c8ad05cbc047
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2021-03-22 18:34:31 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2021-03-22 18:34:44 +0000

    rsu: add KASSERT to document maximum mbuf size in rsu_tx_start

    PR:             254479
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation

 sys/dev/usb/wlan/if_rsu.c | 1 +
 1 file changed, 1 insertion(+)

--=20
You are receiving this mail because:
You are the assignee for the bug.=