From: Kalle Valo <kvalo@kernel.org>
To: Kenton Groombridge <concord@gentoo.org>
Cc: johannes@sipsolutions.net, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v3] wifi: mac80211: Avoid address calculations via out of bounds array indexing
Date: Thu, 06 Jun 2024 12:31:13 +0300 [thread overview]
Message-ID: <871q5amn8e.fsf@kernel.org> (raw)
In-Reply-To: <20240605152218.236061-1-concord@gentoo.org> (Kenton Groombridge's message of "Wed, 5 Jun 2024 11:22:18 -0400")
Kenton Groombridge <concord@gentoo.org> writes:
> req->n_channels must be set before req->channels[] can be used.
>
> This patch fixes one of the issues encountered in [1].
>
> [ 83.964252] ------------[ cut here ]------------
> [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
> [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
> [ 83.964260] CPU: 0 PID: 1695 Comm: iwd Tainted: G O T 6.8.9-gentoo-hardened1 #1
> [ 83.964262] Hardware name: System76 Pangolin/Pangolin, BIOS ARB928_V00.01_T0025ASY1_ms 04/20/2023
> [ 83.964264] Call Trace:
> [ 83.964267] <TASK>
> [ 83.964269] dump_stack_lvl+0x3f/0xc0
> [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110
> [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0
> [ 83.964281] __ieee80211_start_scan+0x601/0x990
> [ 83.964284] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964287] ? cfg80211_scan+0x149/0x250
> [ 83.964291] nl80211_trigger_scan+0x874/0x980
> [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160
> [ 83.964298] genl_rcv_msg+0x240/0x270
> [ 83.964301] ? __cfi_nl80211_trigger_scan+0x10/0x10
> [ 83.964302] ? __cfi_nl80211_post_doit+0x10/0x10
> [ 83.964304] ? __cfi_nl80211_pre_doit+0x10/0x10
> [ 83.964307] ? __cfi_genl_rcv_msg+0x10/0x10
> [ 83.964309] netlink_rcv_skb+0x102/0x130
> [ 83.964312] genl_rcv+0x23/0x40
> [ 83.964314] netlink_unicast+0x23b/0x340
> [ 83.964316] netlink_sendmsg+0x3a9/0x450
> [ 83.964319] __sys_sendto+0x3ae/0x3c0
> [ 83.964324] __x64_sys_sendto+0x21/0x40
> [ 83.964326] do_syscall_64+0x90/0x150
> [ 83.964329] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964331] ? syscall_exit_work+0xc2/0xf0
> [ 83.964333] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964335] ? syscall_exit_to_user_mode+0x74/0xa0
> [ 83.964337] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964339] ? do_syscall_64+0x9c/0x150
> [ 83.964340] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964342] ? syscall_exit_to_user_mode+0x74/0xa0
> [ 83.964344] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964346] ? do_syscall_64+0x9c/0x150
> [ 83.964347] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964349] ? do_syscall_64+0x9c/0x150
> [ 83.964351] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964353] ? syscall_exit_work+0xc2/0xf0
> [ 83.964354] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964356] ? syscall_exit_to_user_mode+0x74/0xa0
> [ 83.964358] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964359] ? do_syscall_64+0x9c/0x150
> [ 83.964361] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964362] ? do_user_addr_fault+0x488/0x620
> [ 83.964366] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964367] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 83.964369] entry_SYSCALL_64_after_hwframe+0x55/0x5d
> [ 83.964372] RIP: 0033:0x6200808578d7
> [ 83.964374] Code: 00 00 90 f3 0f 1e fa 41 56 55 41 89 ce 48 83 ec 28
> 80 3d 7b f7 0d 00 00 74 29 45 31 c9 45 31 c0 41 89 ca b8 2c 00 00 00
> 0f 05 <48> 3d 00 f0 ff ff 77 71 48 83 c4 28 5d 41 5e c3 66 0f 1f 84 00
> 00
> [ 83.964375] RSP: 002b:0000730c4e821530 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> [ 83.964378] RAX: ffffffffffffffda RBX: 000006dbc456c570 RCX: 00006200808578d7
> [ 83.964379] RDX: 000000000000005c RSI: 000006dbc45884f0 RDI: 0000000000000004
> [ 83.964381] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
> [ 83.964382] R10: 0000000000000000 R11: 0000000000000246 R12: 000006dbc456c480
> [ 83.964383] R13: 000006dbc456c450 R14: 0000000000000000 R15: 000006dbc456c610
> [ 83.964386] </TASK>
> [ 83.964386] ---[ end trace ]---
>
> [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810
>
> v3:
> - Fix incorrect channel copying
> v2:
> - Drop changes in cfg80211 as requested by Johannes
In wireless we prefer to have the version changelog after '---' line so
that it's not included in the actual commit. Not sure if Johannes can
fix this during commit.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2024-06-06 9:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-05 15:22 [PATCH v3] wifi: mac80211: Avoid address calculations via out of bounds array indexing Kenton Groombridge
2024-06-06 9:31 ` Kalle Valo [this message]
2024-06-12 12:30 ` Kenton Groombridge
2024-06-12 8:20 ` Johannes Berg
2024-06-12 12:29 ` Kenton Groombridge
2024-06-12 18:28 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871q5amn8e.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=concord@gentoo.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.