| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061843-CVE-2025-38013-eef6@gregkh> Date: Wed, 18 Jun 2025 11:28:47 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38013: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type. The Linux kernel CVE team has assigned CVE-2025-38013 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6 with commit e3eac9f32ec04112b39e01b574ac739382469bf9 and fixed in 6.6.92 with commit fde33ab3c052a302ee8a0b739094b88ceae4dd67 Issue introduced in 6.6 with commit e3eac9f32ec04112b39e01b574ac739382469bf9 and fixed in 6.12.30 with commit 07c737d9ab02c07b562aefcca16aa95077368e24 Issue introduced in 6.6 with commit e3eac9f32ec04112b39e01b574ac739382469bf9 and fixed in 6.14.8 with commit e3192e999a0d05ea0ba2c59c09afaf0b8ee70b81 Issue introduced in 6.6 with commit e3eac9f32ec04112b39e01b574ac739382469bf9 and fixed in 6.15 with commit 82bbe02b2500ef0a62053fe2eb84773fe31c5a0a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38013 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mac80211/main.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/fde33ab3c052a302ee8a0b739094b88ceae4dd67 https://git.kernel.org/stable/c/07c737d9ab02c07b562aefcca16aa95077368e24 https://git.kernel.org/stable/c/e3192e999a0d05ea0ba2c59c09afaf0b8ee70b81 https://git.kernel.org/stable/c/82bbe02b2500ef0a62053fe2eb84773fe31c5a0a
Powered by blists - more mailing lists