[SRU,L/K/J/F/B,0/1] CVE-2023-1380

Message ID	20230509190541.46028-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][L/K/J/F/B][PATCH 0/1] CVE-2023-1380 Date: Tue, 9 May 2023 15:05:39 -0400 Message-Id: <20230509190541.46028-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-1380 \| expand [SRU,L/K/J/F/B,0/1] CVE-2023-1380 [SRU,L/K/J/F] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

Message ID

20230509190541.46028-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][L/K/J/F/B][PATCH 0/1] CVE-2023-1380
Date: Tue,  9 May 2023 15:05:39 -0400
Message-Id: <20230509190541.46028-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-1380 | expand

Message

Yuxuan Luo May 9, 2023, 7:05 p.m. UTC

[Impact]
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in 
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux 
Kernel. This issue could occur when assoc_info->req_len data is bigger than 
the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of 
service. 

[Backport]
It is a clean cherry pick for L/K/J/F.
For Bionic, substitute `bphy_err()` with `brcmf_err()` since `bphy_err()` was
yet to be introduced in the Bionic tree.

[Test]
Compile and smoke tested via modprobe and rmmod the brmcfmac module.

[Potential Regression]
Expecting low potential of regression as the fix only adds an additionaly layer
of sanity check.

Jisoo Jang (1):
  wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

 drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Tim Gardner May 10, 2023, 4:13 p.m. UTC | #1

On 5/9/23 1:05 PM, Yuxuan Luo wrote:
> [Impact]
> A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
> Kernel. This issue could occur when assoc_info->req_len data is bigger than
> the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of
> service.
> 
> [Backport]
> It is a clean cherry pick for L/K/J/F.
> For Bionic, substitute `bphy_err()` with `brcmf_err()` since `bphy_err()` was
> yet to be introduced in the Bionic tree.
> 
> [Test]
> Compile and smoke tested via modprobe and rmmod the brmcfmac module.
> 
> [Potential Regression]
> Expecting low potential of regression as the fix only adds an additionaly layer
> of sanity check.
> 
> Jisoo Jang (1):
>    wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
> 
>   drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Thadeu Lima de Souza Cascardo May 10, 2023, 6:58 p.m. UTC | #2

Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Luke Nowakowski-Krijger May 11, 2023, 4:04 p.m. UTC | #3

Applied to lunar,kinetic,jammy,focal,bionic linux master-next

Thanks,

- Luke

On Tue, May 9, 2023 at 9:07 PM Yuxuan Luo <yuxuan.luo@canonical.com> wrote:

> [Impact]
> A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
> Kernel. This issue could occur when assoc_info->req_len data is bigger
> than
> the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial
> of
> service.
>
> [Backport]
> It is a clean cherry pick for L/K/J/F.
> For Bionic, substitute `bphy_err()` with `brcmf_err()` since `bphy_err()`
> was
> yet to be introduced in the Bionic tree.
>
> [Test]
> Compile and smoke tested via modprobe and rmmod the brmcfmac module.
>
> [Potential Regression]
> Expecting low potential of regression as the fix only adds an additionaly
> layer
> of sanity check.
>
> Jisoo Jang (1):
>   wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
>
>  drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>