Gentoo Linux Security Advisory 202212-1 - Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. Versions less than 7.86.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: curl: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365  
       ID: 202212-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in curl, the worst of which  
could result in arbitrary code execution.

Background  
=========  
A command line tool and library for transferring data with URLs.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/curl              < 7.86.0                    >= 7.86.0

Description  
==========  
Multiple vulnerabilities have been discovered in curl. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All curl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"

References  
=========  
[ 1 ] CVE-2021-22922  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22922  
[ 2 ] CVE-2021-22923  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22923  
[ 3 ] CVE-2021-22925  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22925  
[ 4 ] CVE-2021-22926  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22926  
[ 5 ] CVE-2021-22945  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22945  
[ 6 ] CVE-2021-22946  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22946  
[ 7 ] CVE-2021-22947  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22947  
[ 8 ] CVE-2022-22576  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22576  
[ 9 ] CVE-2022-27774  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27774  
[ 10 ] CVE-2022-27775  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27775  
[ 11 ] CVE-2022-27776  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27776  
[ 12 ] CVE-2022-27779  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27779  
[ 13 ] CVE-2022-27780  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27780  
[ 14 ] CVE-2022-27781  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27781  
[ 15 ] CVE-2022-27782  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27782  
[ 16 ] CVE-2022-30115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30115  
[ 17 ] CVE-2022-32205  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32205  
[ 18 ] CVE-2022-32206  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32206  
[ 19 ] CVE-2022-32207  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32207  
[ 20 ] CVE-2022-32208  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32208  
[ 21 ] CVE-2022-32221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32221  
[ 22 ] CVE-2022-35252  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35252  
[ 23 ] CVE-2022-35260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35260  
[ 24 ] CVE-2022-42915  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42915  
[ 25 ] CVE-2022-42916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42916

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-01

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-01

Gentoo Linux Security Advisory 202212-4 - A vulnerability has been discovered in LibreOffice which could result in arbitrary script execution via crafted links. Versions less than 7.3.6.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibreOffice: Arbitrary Code Execution  
     Date: December 19, 2022  
     Bugs: #876869  
       ID: 202212-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in LibreOffice which could result in  
arbitrary script execution via crafted links.

Background  
=========  
LibreOffice is a powerful office suite; its clean interface and powerful  
tools let you unleash your creativity and grow your productivity.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-office/libreoffice     < 7.3.6.2                  >= 7.3.6.2  
  2  app-office/libreoffice-bin < 7.3.6.2                  >= 7.3.6.2

Description  
==========  
LibreOffice links using the vnd.libreoffice.command scheme could be  
constructed to call internal macros with arbitrary arguments. Which when  
clicked on, or activated by document events, could result in arbitrary  
script execution without warning.

Impact  
=====  
An attacker able to coerce a victim into opening a crafted LibreOffice  
document and execute certain actions with it could achieve remote code  
execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibreOffice users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-7.3.6.2"

All LibreOffice binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-bin-7.3.6.2"

References  
=========  
[ 1 ] CVE-2022-3140  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3140

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-04

Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Unbound: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #872209, #866881  
       ID: 202212-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Unbound, the worst of  
which could result in denial of service.

Background  
=========  
Unbound is a validating, recursive, and caching DNS resolver.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-dns/unbound            < 1.16.3                    >= 1.16.3

Description  
==========  
Multiple vulnerabilities have been discovered in Unbound. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Unbound users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/unbound-1.16.3"

References  
=========  
[ 1 ] CVE-2022-3204  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3204  
[ 2 ] CVE-2022-30698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30698  
[ 3 ] CVE-2022-30699  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30699

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-02

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-02

Debian Linux Security Advisory 5303-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5303-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2022-46882 CVE-2022-46881 CVE-2022-46880 CVE-2022-46878                 CVE-2022-46874 CVE-2022-46872 CVE-2022-45414Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code or information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 1:102.6.0-1~deb11u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwVkACgkQEMKTtsN8TjYhNA//e9mQQto3dcqum+DpkqlxnQ0oJZW90A4qnpdorbSH6AuQodiaMXYrhZ1y7LaCCZd2LgxwIOoW5ukYto7TGGWA+bU8VtdivVKEVJ52dwyzFhp1PMhn81Lr+DRgNf9vYTGO3MYnThKckNhkGPN2qQtxABoBA+opJJIFq7yJW34NEhhWNoH0ubGmCie/13l5msZmN1pYALhsDs1Li7yotVtIRU6r5/t4BUwI0hyfLaR0HDcpeT8iAnyuedMcXF+jFF0B8HQfkakNOc4fODcpiNVW6FAezRPprCTCqpuIr8Ic7yrYWYlAjayLRBbp277JXESFk16Oao/OR0Qf4SpfhDCw3IZwG6A0De4e7nVxunIkjShU9tfzjx5LPeiGqQkXiS2abklARfRUqFeqPFQJbF+CA7lHZiCWm/LXtOjArkIvZ7j1BNcdPmhe/OAJ04zi1j2aKxNxvKAwBK065N1pSn9iS9zvGva7rcenKYnd8kkdExHSnWCCuo79otgKWQ6az/zIdfwY8MU7xxCo04pNnBH+fUAk4sDZGzjfebuqWuUZQ6KK1uo0w6Ji10zriQ2bJ94eYuptBEZttovyjj7SbOAuAB2zpchHT2TlifpgoTmywRNsMceqDNvzbgTCwMEP30TYXOyiunxOs2AgL/6hFAfZ3oTfpxqjuscKCkfi1pwaYjM=YY+h-----END PGP SIGNATURE-----

Debian Security Advisory 5303-1

Debian Linux Security Advisory 5302-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5302-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-4436 CVE-2022-4437 CVE-2022-4438 CVE-2022-4439                 CVE-2022-4440Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 108.0.5359.124-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwUwACgkQEMKTtsN8TjaEDhAAuNgbC9i9I5soJN7677urAmv/mzR20/hpcEx4WlrS5YlCMBISsolvytNClMnzfVIe8e0akdshGTtGmehUco7gxXRq7Ab+kCDMFgXrPCf+SDXFbECLR/xtrTGuahzPmrDBwz/5O3gOFcJaEhXoLUER1Xm2UX8MgMlV/pfv8UN0keXriJSS/nWVU5sp8UCfafYxa/cNB51k7VmQTEDL56zcE64zZxXmmfNDvNv9/FHiMHZyATZv499nfEVaI0qvLot/trilA2X6/Wn5aFJD7cRk7PWJR6fzMs36Ad4E9Ww5/mDy6ADKORyRhiHbpw+wRCgs253pkDvwExVTwu2BGsXp9ThnVIHRXflN0GaixsDUryA3x0IRCTiWpNU+armowtAS7I31kht91uPhJaaK3DoB/xgqRbNBHeZnl8NqAaf76ODSGAbjcoUxLXrEb+zD9dLbFuDnfapfeqKCDuZAkeBv9k9etvMTuBTb4KjvA/OfhFTYpF8EJ2+o4RTBqf2vNlEWhSLqXY/ehr6LygFnHlBnrR+SQPUfEQywHEMRa+4DqyWtf25mZKkVl1AdhMqXBF6Rsht0UBOUu2M2g4NOtk/1S34EhPeEhZLSh+Z3XhoIj/UfQLcOgMEQCBHuz1S5tXyLqQCwbpi/Pm+lSI99fPooTH5UoJpDj2cGygXfNysjKq0=kfqY-----END PGP SIGNATURE-----

Debian Security Advisory 5302-1

Ubuntu Security Notice 5783-1 - Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5783-1December 16, 2022linux-oem-5.17 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systemsDetails:Tamás Koczka discovered that the Bluetooth L2CAP handshake implementationin the Linux kernel contained multiple use-after-free vulnerabilities. Aphysically proximate attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1025-oem     5.17.0-1025.26   linux-image-oem-22.04           5.17.0.1025.23   linux-image-oem-22.04a          5.17.0.1025.23After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5783-1   CVE-2022-42896Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1025.26

Ubuntu Security Notice USN-5783-1

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.

Permalink

Browse files

wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST at…

…tribute

Validate that the IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute contains
enough space for a 'struct wilc\_attr\_oper\_ch'. If the attribute is too
small then it can trigger an out-of-bounds write later in the function.

'struct wilc\_attr\_oper\_ch' is variable sized so also check 'attr\_len'
does not extend beyond the end of 'buf'.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com

*   Loading branch information

CVE-2022-47521: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST at… · torvalds/linux@f9b62f9

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.

From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
	kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: \[PATCH 2/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute
Date: Wed, 23 Nov 2022 10:35:41 -0500	\[thread overview\]
Message-ID: <20221123153543.8568-3-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com\>

Validate that the IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute contains
enough space for a 'struct struct wilc\_attr\_oper\_ch'. If the attribute is
too small then it triggers an out-of-bounds write later in the function.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
 drivers/net/wireless/microchip/wilc1000/cfg80211.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index 9bbfff803357..aedf0e8b69b9 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -959,14 +959,24 @@ static inline void wilc\_wfi\_cfg\_parse\_ch\_attr(u8 \*buf, u32 len, u8 sta\_ch)
 		return;
 
 	while (index + sizeof(\*e) <= len) {
+		u16 attr\_size;
+
 		e = (struct wilc\_attr\_entry \*)&buf\[index\];
+		attr\_size = le16\_to\_cpu(e->attr\_len);
+
+		if (index + sizeof(\*e) + attr\_size > len)
+			return;
+
 		if (e->attr\_type == IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST)
 			ch\_list\_idx = index;
\-		else if (e->attr\_type == IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL)
+		else if (e->attr\_type == IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL &&
+			 attr\_size == (sizeof(struct wilc\_attr\_oper\_ch) - sizeof(\*e)))
 			op\_ch\_idx = index;
+
 		if (ch\_list\_idx && op\_ch\_idx)
 			break;
\-		index += le16\_to\_cpu(e->attr\_len) + sizeof(\*e);
+
+		index += sizeof(\*e) + attr\_size;
 	}
 
 	if (ch\_list\_idx) {
-- 
2.34.1

next prev parent reply	other threads:\[~2022-11-23 15:35 UTC|newest\]

**Thread overview:** 6+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-11-23 15:35 \[PATCH 0/4\] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 \` \[PATCH 1/4\] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11   \` Kalle Valo
**2022-11-23 15:35 \` Phil Turnbull \[this message\]**
2022-11-23 15:35 \` \[PATCH 3/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute Phil Turnbull
2022-11-23 15:35 \` \[PATCH 4/4\] wifi: wilc1000: validate number of channels Phil Turnbull

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221123153543.8568-3-philipturnbull@github.com \\
    --to=philipturnbull@github.com \\
    --cc=ajay.kathat@microchip.com \\
    --cc=claudiu.beznea@microchip.com \\
    --cc=kvalo@kernel.org \\
    --cc=linux-wireless@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-47519: [PATCH 2/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.

From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
	kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: \[PATCH 4/4\] wifi: wilc1000: validate number of channels
Date: Wed, 23 Nov 2022 10:35:43 -0500	\[thread overview\]
Message-ID: <20221123153543.8568-5-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com\>

There is no validation of 'e->no\_of\_channels' which can trigger an
out-of-bounds write in the following 'memset' call. Validate that the
number of channels does not extends beyond the size of the channel list
element.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
 .../wireless/microchip/wilc1000/cfg80211.c    | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index c4d5a272ccc0..b545d93c6e37 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -981,19 +981,29 @@ static inline void wilc\_wfi\_cfg\_parse\_ch\_attr(u8 \*buf, u32 len, u8 sta\_ch)
 	}
 
 	if (ch\_list\_idx) {
\-		u16 attr\_size;
-		struct wilc\_ch\_list\_elem \*e;
-		int i;
+		u16 elem\_size;
 
 		ch\_list = (struct wilc\_attr\_ch\_list \*)&buf\[ch\_list\_idx\];
\-		attr\_size = le16\_to\_cpu(ch\_list->attr\_len);
-		for (i = 0; i < attr\_size;) {
+		/\* the number of bytes following the final 'elem' member \*/
+		elem\_size = le16\_to\_cpu(ch\_list->attr\_len) -
+			(sizeof(\*ch\_list) - sizeof(struct wilc\_attr\_entry));
+		for (unsigned int i = 0; i < elem\_size;) {
+			struct wilc\_ch\_list\_elem \*e;
+
 			e = (struct wilc\_ch\_list\_elem \*)(ch\_list->elem + i);
+
+			i += sizeof(\*e);
+			if (i > elem\_size)
+				break;
+
+			i += e->no\_of\_channels;
+			if (i > elem\_size)
+				break;
+
 			if (e->op\_class == WILC\_WLAN\_OPERATING\_CLASS\_2\_4GHZ) {
 				memset(e->ch\_list, sta\_ch, e->no\_of\_channels);
 				break;
 			}
\-			i += e->no\_of\_channels;
 		}
 	}
 
-- 
2.34.1

     prev parent reply	other threads:\[~2022-11-23 15:36 UTC|newest\]

**Thread overview:** 6+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-11-23 15:35 \[PATCH 0/4\] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 \` \[PATCH 1/4\] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11   \` Kalle Valo
2022-11-23 15:35 \` \[PATCH 2/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute Phil Turnbull
2022-11-23 15:35 \` \[PATCH 3/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute Phil Turnbull
**2022-11-23 15:35 \` Phil Turnbull \[this message\]**

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221123153543.8568-5-philipturnbull@github.com \\
    --to=philipturnbull@github.com \\
    --cc=ajay.kathat@microchip.com \\
    --cc=claudiu.beznea@microchip.com \\
    --cc=kvalo@kernel.org \\
    --cc=linux-wireless@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-47518: [PATCH 4/4] wifi: wilc1000: validate number of channels

An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.

Permalink

Browse files

wifi: wilc1000: validate pairwise and authentication suite offsets

There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com

*   Loading branch information

Tag

#linux