lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202410281644.77B7BEF8E@keescook>
Date: Mon, 28 Oct 2024 16:44:58 -0700
From: Kees Cook <kees@...nel.org>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
Cc: vvvvvv@...gle.com, Johannes Berg <johannes@...solutions.net>,
	"Gustavo A. R. Silva" <gustavoars@...nel.org>,
	linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] wifi: nl80211: fix bounds checker error in
 nl80211_parse_sched_scan

On Mon, Oct 28, 2024 at 04:54:43PM -0600, Gustavo A. R. Silva wrote:
> 
> 
> On 28/10/24 16:18, Aleksei Vetrov via B4 Relay wrote:
> > From: Aleksei Vetrov <vvvvvv@...gle.com>
> > 
> > The channels array in the cfg80211_scan_request has a __counted_by
> > attribute attached to it, which points to the n_channels variable. This
> > attribute is used in bounds checking, and if it is not set before the
> > array is filled, then the bounds sanitizer will issue a warning or a
> > kernel panic if CONFIG_UBSAN_TRAP is set.
> > 
> > This patch sets the size of allocated memory as the initial value for
> > n_channels. It is updated with the actual number of added elements after
> > the array is filled.
> > 
> 
> This should include the following tag (and probably CC stable):
> 
> Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")

Agreed.

Reviewed-by: Kees Cook <kees@...nel.org>

-Kees

> 
> Thanks
> --
> Gustavo
> 
> > Signed-off-by: Aleksei Vetrov <vvvvvv@...gle.com>
> > ---
> >   net/wireless/nl80211.c | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> > index d7d099f7118ab5d5c745905abdea85d246c2b7b2..9b1b9dc5a7eb2a864da7b0212bc6a156b7757a9d 100644
> > --- a/net/wireless/nl80211.c
> > +++ b/net/wireless/nl80211.c
> > @@ -9776,6 +9776,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
> >   	request = kzalloc(size, GFP_KERNEL);
> >   	if (!request)
> >   		return ERR_PTR(-ENOMEM);
> > +	request->n_channels = n_channels;
> >   	if (n_ssids)
> >   		request->ssids = (void *)request +
> > 
> > ---
> > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> > change-id: 20241028-nl80211_parse_sched_scan-bounds-checker-fix-c5842f41b863
> > 
> > Best regards,
> 

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ