Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Sam James <sam@gentoo.org>
Cc: chunkeey@gmail.com, chunkeey@googlemail.com, davem@davemloft.net,
	edumazet@google.com, helmut.schaa@googlemail.com,
	johannes@sipsolutions.net, kernel@quicinc.com, kuba@kernel.org,
	kvalo@kernel.org, linux-kernel@vger.kernel.org,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, pkshih@realtek.com, quic_jjohnson@quicinc.com,
	stf_xl@wp.pl, toke@toke.dk
Subject: Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie
Date: Mon, 13 May 2024 22:49:54 -0700	[thread overview]
Message-ID: <202405132245.017023A@keescook> (raw)
In-Reply-To: <87jzjxgfnt.fsf@gentoo.org>

On Tue, May 14, 2024 at 05:51:02AM +0100, Sam James wrote:
> I think I've just hit this, unless it's been fixed since and it's just
> similar.
> 
> ```
> [  291.051876] ================================================================================
> [  291.051892] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.30/work/linux-6.6/include/linux/ieee80211.h:4455:28
> [  291.051901] index 1 is out of range for type 'u8 [1]'
> [  291.051908] CPU: 2 PID: 627 Comm: kworker/2:3 Not tainted 6.6.30-gentoo-dist-hardened #1
> [  291.051917] Hardware name: ASUSTeK COMPUTER INC. UX305FA/UX305FA, BIOS UX305FA.216 04/17/2019
> [  291.051922] Workqueue: events cfg80211_wiphy_work [cfg80211]
> [  291.052082] Call Trace:
> [  291.052088]  <TASK>
> [  291.052096] dump_stack_lvl (lib/dump_stack.c:107) 
> [  291.052114] __ubsan_handle_out_of_bounds (lib/ubsan.c:218 (discriminator 1) lib/ubsan.c:348 (discriminator 1)) 
> [  291.052130] ieee80211_rx_mgmt_beacon (include/linux/ieee80211.h:4455 net/mac80211/mlme.c:6047) mac80211

This looks like it's this line in ieee80211_rx_mgmt_beacon():

            ieee80211_check_tim(elems->tim, elems->tim_len, vif_cfg->aid)) {

which is:

static inline bool ieee80211_check_tim(const struct ieee80211_tim_ie *tim,
                                       u8 tim_len, u16 aid)
{ ...
        return !!(tim->virtual_map[index] & mask);
                  ^^^^^^^^^^^^^^^^^^^^^^^
}

UBSAN says it's because the array is defined as "virtual_map[1]":

struct ieee80211_tim_ie {
        u8 dtim_count;
        u8 dtim_period;
        u8 bitmap_ctrl;
        /* variable size: 1 - 251 bytes */
        u8 virtual_map[1];
} __packed;

This was fixed in

	commit 2ae5c9248e06 ("wifi: mac80211: Use flexible array in struct ieee80211_tim_ie")

which was part of the v6.7 release.

> (It was a fun mini-adventure to get the trace usable and I should send
> some patches to decode_stacktrace.sh, I think...)

Please do! :)

-- 
Kees Cook

next prev parent reply	other threads:[~2024-05-14  5:49 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-29 13:29 [PATCH v2 0/2] wifi: Fix struct ieee80211_tim_ie::virtual_map Jeff Johnson
2023-08-29 13:29 ` [PATCH v2 1/2] wifi: cw1200: Avoid processing an invalid TIM IE Jeff Johnson
2023-08-29 13:29 ` [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie Jeff Johnson
2023-08-30 19:51   ` Christian Lamparter
2023-08-30 20:22     ` Jeff Johnson
2023-08-30 22:31       ` Kees Cook
2024-05-14  4:51         ` Sam James
2024-05-14  5:49           ` Kees Cook [this message]
2023-08-30 20:24     ` Jeff Johnson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202405132245.017023A@keescook \
    --to=keescook@chromium.org \
    --cc=chunkeey@gmail.com \
    --cc=chunkeey@googlemail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=helmut.schaa@googlemail.com \
    --cc=johannes@sipsolutions.net \
    --cc=kernel@quicinc.com \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pkshih@realtek.com \
    --cc=quic_jjohnson@quicinc.com \
    --cc=sam@gentoo.org \
    --cc=stf_xl@wp.pl \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.