From: Kalle Valo <kvalo@kernel.org>
To: Jeff Johnson <quic_jjohnson@quicinc.com>
Cc: Aleksei Vetrov <vvvvvv@google.com>,
Johannes Berg <johannes@sipsolutions.net>,
Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Dmitry Antipov <dmantipov@yandex.ru>,
<linux-wireless@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-hardening@vger.kernel.org>, <stable@vger.kernel.org>
Subject: Re: [PATCH v2] wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan
Date: Tue, 05 Nov 2024 12:46:37 +0200 [thread overview]
Message-ID: <87ses6x8j6.fsf@kernel.org> (raw)
In-Reply-To: <0bc2e4b0-4dad-4341-a41e-a98fbc4b1658@quicinc.com> (Jeff Johnson's message of "Mon, 4 Nov 2024 09:12:09 -0800")
Jeff Johnson <quic_jjohnson@quicinc.com> writes:
> On 10/29/2024 6:22 AM, Aleksei Vetrov wrote:
>> The channels array in the cfg80211_scan_request has a __counted_by
>> attribute attached to it, which points to the n_channels variable. This
>> attribute is used in bounds checking, and if it is not set before the
>> array is filled, then the bounds sanitizer will issue a warning or a
>> kernel panic if CONFIG_UBSAN_TRAP is set.
>>
>> This patch sets the size of allocated memory as the initial value for
>> n_channels. It is updated with the actual number of added elements after
>> the array is filled.
>>
>> Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
> Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
>
> And it is exactly this kind of issue why I'm not accepting any __counted_by()
> changes in ath.git without actually testing the code that is modified.
That's a good rule. If we ever manage to write that "wireless cleanup
policy" document this is something we should add there.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
prev parent reply other threads:[~2024-11-05 10:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-29 13:22 [PATCH v2] wifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan Aleksei Vetrov
2024-11-04 16:10 ` Aleksei Vetrov
2024-11-04 17:10 ` Jeff Johnson
2024-11-04 18:06 ` Aleksei Vetrov
2024-11-04 17:12 ` Jeff Johnson
2024-11-04 18:20 ` Aleksei Vetrov
2024-11-05 10:46 ` Kalle Valo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ses6x8j6.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=dmantipov@yandex.ru \
--cc=gustavoars@kernel.org \
--cc=johannes@sipsolutions.net \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_jjohnson@quicinc.com \
--cc=stable@vger.kernel.org \
--cc=vvvvvv@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.