From: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Aldo Ariel Panzardo <qwe.aldo@gmail.com>
Subject: [PATCH] wifi: cfg80211: bound Common-Info-Length in ieee80211_mle_size_ok()
Date: Sun, 5 Jul 2026 10:50:11 -0300 [thread overview]
Message-ID: <20260705135011.407300-1-qwe.aldo@gmail.com> (raw)
ieee80211_mle_size_ok() only lower-bounds the Common-Info-Length octet
(mle->variable[0]) of a Multi-Link element. After accumulating the
expected 'common' length from the presence bitmap it checks
len >= fixed + common and then returns "mle->variable[0] >= common", but
it never verifies that variable[0] fits within the element, i.e. that
variable[0] <= len - fixed.
Because ieee80211_mle_common_size() returns "sizeof(*mle) +
mle->variable[0]" truncated to u8, a Common-Info-Length of 254 wraps it
to 0. cfg80211_defrag_mle() then starts walking per-STA-profile
subelements from offset 0, and a body crafted to also parse as a valid
element stream passes the for_each_element_completed() interlock.
cfg80211_parse_ml_elem_sta_data() finally does:
ml_common_len = ml_elem->variable[0];
...
memcpy(new_ie + data.ielen, ml_elem,
sizeof(*ml_elem) + ml_common_len);
Only the destination is bounded (against IEEE80211_MAX_DATA_LEN); the
source read of sizeof(*ml_elem) + variable[0] bytes from the received
frame is not. A crafted probe response therefore makes the parser
over-read up to ~230 bytes past the element into adjacent slab memory
(the RX skb head, including skb_shared_info), and the copied bytes are
exposed to unprivileged user space through the per-link BSS information
elements in nl80211 scan results -- a remotely-plantable,
locally-readable kernel heap infoleak.
Confirmed over the air between two physical Intel radios on an
unmodified v7.2-rc1 KASAN build: scan results contained heap pointer
values and a kernel uevent string that were absent from the transmitted
frame.
Add the missing upper bound so the Common-Info-Length can never exceed
the element. This also removes the same latent gap in the other
ieee80211_mle_common_size() consumers.
Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
include/linux/ieee80211-eht.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index 18f9c662cf4c..dd1ec8a0af5a 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -919,7 +919,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
return true;
/* if present, common length is the first octet there */
- return mle->variable[0] >= common;
+ return mle->variable[0] >= common &&
+ mle->variable[0] <= len - fixed;
}
/**
--
2.43.0
reply other threads:[~2026-07-05 13:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705135011.407300-1-qwe.aldo@gmail.com \
--to=qwe.aldo@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox