lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202409050957.7DD6B23EA@keescook>
Date: Thu, 5 Sep 2024 09:58:25 -0700
From: Kees Cook <kees@...nel.org>
To: Dmitry Antipov <dmantipov@...dex.ru>
Cc: Johannes Berg <johannes.berg@...el.com>, Kalle Valo <kvalo@...nel.org>,
	linux-wireless@...r.kernel.org, linux-hardening@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: Re: [PATCH] wifi: cfg80211: fix UBSAN noise in
 cfg80211_wext_siwscan()

On Thu, Sep 05, 2024 at 06:04:00PM +0300, Dmitry Antipov wrote:
> Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
> and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
> following:
> 
> [ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
> [ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
> <...skipped...>
> [ T4985] Call Trace:
> [ T4985]  <TASK>
> [ T4985]  dump_stack_lvl+0x1c2/0x2a0
> [ T4985]  ? __pfx_dump_stack_lvl+0x10/0x10
> [ T4985]  ? __pfx__printk+0x10/0x10
> [ T4985]  __ubsan_handle_out_of_bounds+0x127/0x150
> [ T4985]  cfg80211_wext_siwscan+0x11a4/0x1260
> <...the rest is not too useful...>
> 
> Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
> (void *)&creq->channels[n_channels]', UBSAN treats the latter as
> off-by-one error. Fix this by using pointer arithmetic rather than
> an expression with explicit array indexing and use convenient
> 'struct_size()' to simplify the math here and in 'kzalloc()' above.
> 
> Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
> Signed-off-by: Dmitry Antipov <dmantipov@...dex.ru>

This looks correct -- the offset is based on the allocation base, not
the array within the struct, so no array-out-of-bounds warning will
happen.

Reviewed-by: Kees Cook <kees@...nel.org>

-- 
Kees Cook

Powered by blists - more mailing lists