Date: Mon, 22 Mar 2021 14:15:33 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 254479] Kernel remote heap overflow in Realtek RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver Message-ID: <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479 Bug ID: 254479 Summary: Kernel remote heap overflow in Realtek RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: cutesmilee.business@gmail.com rsu_raw_xmit() in the last if statement calls rsu_tx_start(), taking a user-controlled mbuf as parameter. at the end of the function m_copydata() is called, and it copies the user-controlled mbuf with the length of the packet / the length of the mbuf (which isn't checked), the smaller size is taken (the user can provide a big payload), and the mbuf gets copied to the TX Descriptor struct (struct r92s_tx_desc) which is 32 bytes. these vulnerabilities are only for Realtek RTL8188SU/RTL8191SU/RTL8192SU wi= fi cards (that are connected via USB?). vulnerable code: static int rsu_tx_start(struct rsu_softc *sc, struct ieee80211_node *ni,=20 struct mbuf *m0, struct rsu_data *data) { struct ieee80211vap *vap =3D ni->ni_vap; struct ieee80211_frame *wh; struct ieee80211_key *k =3D NULL; struct r92s_tx_desc *txd; uint8_t type; int prio =3D 0; uint8_t which; int hasqos; int xferlen; int qid; [...] xferlen =3D sizeof(*txd) + m0->m_pkthdr.len; m_copydata(m0, 0, m0->m_pkthdr.len, (caddr_t)&txd[1]); // <- heap overflow here data->buflen =3D xferlen; data->ni =3D ni; data->m =3D m0; STAILQ_INSERT_TAIL(&sc->sc_tx_pending[which], data, next); /* start transfer, if any */ usbd_transfer_start(sc->sc_xfer[which]); return (0); } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254479-21060>