Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Mar 2021 14:15:33 +0000
From:      bugzilla-noreply@freebsd.org
To:        wireless@FreeBSD.org
Subject:   [Bug 254479] Kernel remote heap overflow in Realtek RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Message-ID:  <bug-254479-21060@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254479

            Bug ID: 254479
           Summary: Kernel remote heap overflow in Realtek
                    RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: cutesmilee.business@gmail.com

rsu_raw_xmit() in the last if statement calls rsu_tx_start(), taking a
user-controlled mbuf as parameter.
at the end of the function m_copydata() is called, and it copies the
user-controlled mbuf with the length of the packet / the length of the mbuf
(which isn't checked), the smaller size is taken (the user can provide a big
payload), and the mbuf gets copied to the TX Descriptor struct (struct
r92s_tx_desc) which is 32 bytes.
these vulnerabilities are only for Realtek RTL8188SU/RTL8191SU/RTL8192SU wi=
fi
cards (that are connected via USB?).

vulnerable code:

static int
rsu_tx_start(struct rsu_softc *sc, struct ieee80211_node *ni,=20
    struct mbuf *m0, struct rsu_data *data)
{
        struct ieee80211vap *vap =3D ni->ni_vap;
        struct ieee80211_frame *wh;
        struct ieee80211_key *k =3D NULL;
        struct r92s_tx_desc *txd;
        uint8_t type;
        int prio =3D 0;
        uint8_t which;
        int hasqos;
        int xferlen;
        int qid;

        [...]

        xferlen =3D sizeof(*txd) + m0->m_pkthdr.len;
        m_copydata(m0, 0, m0->m_pkthdr.len, (caddr_t)&txd[1]); // <- heap
overflow here

        data->buflen =3D xferlen;
        data->ni =3D ni;
        data->m =3D m0;
        STAILQ_INSERT_TAIL(&sc->sc_tx_pending[which], data, next);

        /* start transfer, if any */
        usbd_transfer_start(sc->sc_xfer[which]);
        return (0);
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254479-21060>