From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 560CDEB64DD for ; Sun, 13 Aug 2023 21:24:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231571AbjHMVYi (ORCPT ); Sun, 13 Aug 2023 17:24:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231582AbjHMVYi (ORCPT ); Sun, 13 Aug 2023 17:24:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D090410D7 for ; Sun, 13 Aug 2023 14:24:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 66985628E6 for ; Sun, 13 Aug 2023 21:24:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BD25C433C8; Sun, 13 Aug 2023 21:24:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1691961878; bh=qj1phGDr2We80ad9hU9WGnszmDZrQf+t/0ZPndFE8Q4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wgKgJHoZYESqpBZxsgKyKIa4JmcaQF8uGd+GxB1NLDUY7lqGzrLa79tb+oaRF9p2c lKGJOIkql0Hx/I4oX+XJvHumWcgeSh0XZJqD8um8HeX3JB0WpbXr4xsp/JjhBmbDsT 0QjdK6RfnHysq0xSZmQtBe63udeH0vnr/E4ygao8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Keith Yeo , Johannes Berg Subject: [PATCH 6.4 009/206] wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() Date: Sun, 13 Aug 2023 23:16:19 +0200 Message-ID: <20230813211725.241602703@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230813211724.969019629@linuxfoundation.org> References: <20230813211724.969019629@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Keith Yeo commit 6311071a056272e1e761de8d0305e87cc566f734 upstream. nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the number of MBSSID elements in the nested netlink attribute attrs, which can lead to an integer overflow if a user of the nl80211 interface specifies 256 or more elements in the corresponding attribute in userspace. The integer overflow can lead to a heap buffer overflow as num_elems determines the size of the trailing array in elems, and this array is thereafter written to for each element in attrs. Note that this vulnerability only affects devices with the wiphy->mbssid_max_interfaces member set for the wireless physical device struct in the device driver, and can only be triggered by a process with CAP_NET_ADMIN capabilities. Fix this by checking for a maximum of 255 elements in attrs. Cc: stable@vger.kernel.org Fixes: dc1e3cb8da8b ("nl80211: MBSSID and EMA support in AP mode") Signed-off-by: Keith Yeo Link: https://lore.kernel.org/r/20230731034719.77206-1-keithyjy@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/nl80211.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -5426,8 +5426,11 @@ nl80211_parse_mbssid_elems(struct wiphy if (!wiphy->mbssid_max_interfaces) return ERR_PTR(-EINVAL); - nla_for_each_nested(nl_elems, attrs, rem_elems) + nla_for_each_nested(nl_elems, attrs, rem_elems) { + if (num_elems >= 255) + return ERR_PTR(-EINVAL); num_elems++; + } elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL); if (!elems)