From owner-freebsd-wireless@freebsd.org  Mon Mar 22 15:20:36 2021
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 90B285B2518
 for <freebsd-wireless@mailman.nyi.freebsd.org>;
 Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F3yqm3VRFz3pkV
 for <freebsd-wireless@freebsd.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 764565B2517; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
Delivered-To: wireless@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 760F75B24AE
 for <wireless@mailman.nyi.freebsd.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3yqm2rR0z3q0q
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4B4067FEA
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12MFKadO035676
 for <wireless@FreeBSD.org>; Mon, 22 Mar 2021 15:20:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12MFKaIJ035675
 for wireless@FreeBSD.org; Mon, 22 Mar 2021 15:20:36 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 254479] Kernel remote heap overflow in Realtek
 RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
Date: Mon, 22 Mar 2021 15:20:36 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: cutesmilee.research@protonmail.com
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-254479-21060-j3WQzGpEA6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
References: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 15:20:36 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

--- Comment #4 from Tommaso <cutesmilee.research@protonmail.com> ---
(In reply to Tommaso from comment #3)
static int=20=20=20=20=20=20
rsu_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,=20
    const struct ieee80211_bpf_params *params)
{
        struct ieee80211com *ic =3D ni->ni_ic;
        struct rsu_softc *sc =3D ic->ic_softc;
        struct rsu_data *bf;

        /* prevent management frames from being sent if we're not ready */
        if (!sc->sc_running) { // no lock is taken
                m_freem(m);
                return (ENETDOWN);
        }
        RSU_LOCK(sc); // locks=20
        bf =3D rsu_getbuf(sc);
        if (bf =3D=3D NULL) {
                m_freem(m);
                RSU_UNLOCK(sc); // unlocks only after the if and the free
                return (ENOBUFS);
        }
        if (rsu_tx_start(sc, ni, m, bf) !=3D 0) {
                m_freem(m);
                rsu_freebuf(sc, bf);
                RSU_UNLOCK(sc); // same here
                return (EIO);
        }
        RSU_UNLOCK(sc); // unlocks if no error occurred

        return (0);
}

for example in rum driver a lock is taken:

static int
rum_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
    const struct ieee80211_bpf_params *params)
{
        struct rum_softc *sc =3D ni->ni_ic->ic_softc;
        int ret;

        RUM_LOCK(sc); // lock taken before checking sc_running value
        /* prevent management frames from being sent if we're not ready */
        if (!sc->sc_running) {
                ret =3D ENETDOWN;
                goto bad;
        }
        if (sc->tx_nfree < RUM_TX_MINFREE) {
                ret =3D EIO;
                goto bad;
        }

        if (params =3D=3D NULL) {
                /*
                 * Legacy path; interpret frame contents to decide
                 * precisely how to send the frame.
                 */
                if ((ret =3D rum_tx_mgt(sc, m, ni)) !=3D 0)
                        goto bad;
        } else {
                /*
                 * Caller supplied explicit parameters to use in
                 * sending the frame.
                 */
                if ((ret =3D rum_tx_raw(sc, m, ni, params)) !=3D 0)
                        goto bad;
        }
        RUM_UNLOCK(sc);

        return 0;
bad:
        RUM_UNLOCK(sc);
        m_freem(m);
        return ret;
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=