Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH] wifi: cfg80211: bound Common-Info-Length in ieee80211_mle_size_ok()
@ 2026-07-05 13:50 Aldo Ariel Panzardo
  0 siblings, 0 replies; only message in thread
From: Aldo Ariel Panzardo @ 2026-07-05 13:50 UTC (permalink / raw)
  To: Johannes Berg
  Cc: linux-wireless, linux-kernel, security, Greg Kroah-Hartman,
	Aldo Ariel Panzardo

ieee80211_mle_size_ok() only lower-bounds the Common-Info-Length octet
(mle->variable[0]) of a Multi-Link element. After accumulating the
expected 'common' length from the presence bitmap it checks
len >= fixed + common and then returns "mle->variable[0] >= common", but
it never verifies that variable[0] fits within the element, i.e. that
variable[0] <= len - fixed.

Because ieee80211_mle_common_size() returns "sizeof(*mle) +
mle->variable[0]" truncated to u8, a Common-Info-Length of 254 wraps it
to 0. cfg80211_defrag_mle() then starts walking per-STA-profile
subelements from offset 0, and a body crafted to also parse as a valid
element stream passes the for_each_element_completed() interlock.
cfg80211_parse_ml_elem_sta_data() finally does:

	ml_common_len = ml_elem->variable[0];
	...
	memcpy(new_ie + data.ielen, ml_elem,
	       sizeof(*ml_elem) + ml_common_len);

Only the destination is bounded (against IEEE80211_MAX_DATA_LEN); the
source read of sizeof(*ml_elem) + variable[0] bytes from the received
frame is not. A crafted probe response therefore makes the parser
over-read up to ~230 bytes past the element into adjacent slab memory
(the RX skb head, including skb_shared_info), and the copied bytes are
exposed to unprivileged user space through the per-link BSS information
elements in nl80211 scan results -- a remotely-plantable,
locally-readable kernel heap infoleak.

Confirmed over the air between two physical Intel radios on an
unmodified v7.2-rc1 KASAN build: scan results contained heap pointer
values and a kernel uevent string that were absent from the transmitted
frame.

Add the missing upper bound so the Common-Info-Length can never exceed
the element. This also removes the same latent gap in the other
ieee80211_mle_common_size() consumers.

Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
 include/linux/ieee80211-eht.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index 18f9c662cf4c..dd1ec8a0af5a 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -919,7 +919,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
 		return true;
 
 	/* if present, common length is the first octet there */
-	return mle->variable[0] >= common;
+	return mle->variable[0] >= common &&
+	       mle->variable[0] <= len - fixed;
 }
 
 /**
-- 
2.43.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-07-05 13:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-05 13:50 [PATCH] wifi: cfg80211: bound Common-Info-Length in ieee80211_mle_size_ok() Aldo Ariel Panzardo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox