git.baikalelectronics.ru Git - kernel.git/commit

author	Larry Finger <Larry.Finger@lwfinger.net>
	Mon, 10 Feb 2020 18:02:31 +0000 (12:02 -0600)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 28 Feb 2020 16:22:17 +0000 (17:22 +0100)
commit	bdd335f6f550d56f7f0c32fed5e23ab1fb90e321
tree	19fd22e6799a54f09a51f05d99a64e24809ecb23	tree \| snapshot
parent	79eaaab13662d7751b027cca5263a2bc022eb8af	commit \| diff

staging: rtl8723bs: Fix potential security hole

commit 2a1951899c14aad6373531ed3bcae5c3af209d9d upstream.

In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit 84ed90a855bc6 ("0taging: Add rtl8723bs sdio wifi driver").

Reported by: Pietro Oliva <pietroliva@gmail.com>
Cc: Pietro Oliva <pietroliva@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Fixes 84ed90a855bc6 ("0taging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Link: https://lore.kernel.org/r/20200210180235.21691-3-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>