| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250227090932.1871272-1-quic_zhonhan@quicinc.com>
Date: Thu, 27 Feb 2025 17:09:32 +0800
From: Zhongqiu Han <quic_zhonhan@...cinc.com>
To: <johannes@...solutions.net>, <miriam.rachel.korenblit@...el.com>,
<syzbot+5a7b40bcb34dea5ca959@...kaller.appspotmail.com>
CC: <linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<quic_zhonhan@...cinc.com>, <syzkaller-bugs@...glegroups.com>
Subject: [RFC PATCH] wifi: mac80211: Prevent disconnect reports when no AP is associated
syzbot reports that cfg80211_tx_mlme_mgmt is using uninit-value:
=====================================================
BUG: KMSAN: uninit-value in cfg80211_tx_mlme_mgmt+0x155/0x300 net/wireless/mlme.c:226
cfg80211_tx_mlme_mgmt+0x155/0x300 net/wireless/mlme.c:226
ieee80211_report_disconnect net/mac80211/mlme.c:4238 [inline]
ieee80211_sta_connection_lost+0xfa/0x150 net/mac80211/mlme.c:7811
ieee80211_sta_work+0x1dea/0x4ef0
ieee80211_iface_work+0x1900/0x1970 net/mac80211/iface.c:1684
cfg80211_wiphy_work+0x396/0x860 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xc1a/0x1e80 kernel/workqueue.c:3317
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3398
kthread+0x6b9/0xef0 kernel/kthread.c:464
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Local variable frame_buf created at:
ieee80211_sta_connection_lost+0x43/0x150 net/mac80211/mlme.c:7806
ieee80211_sta_work+0x1dea/0x4ef0
=====================================================
The reason is that the local variable frame_buf on the stack cannot be
initialized by default. However one more question is that avoiding the
uninit-value bug by explicitly initializing it is not enough. Since commit
687a7c8a7227 ("wifi: mac80211: change disassoc sequence a bit"), if there
is no AP station, frame_buf has no chance to be assigned a valid value.
The function ieee80211_report_disconnect should not continue executing
with the frame_buf parameter that is merely initialized to zero.
Signed-off-by: Zhongqiu Han <quic_zhonhan@...cinc.com>
Fixes: 687a7c8a7227 ("wifi: mac80211: change disassoc sequence a bit")
Reported-by: syzbot+5a7b40bcb34dea5ca959@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/67bf36d3.050a0220.38b081.01ff.GAE@google.com/
---
Please kindy help thoroughly review this patch as I am not a wireless network expert.
net/mac80211/mlme.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 4e8f0a5f6251..4f3b535b1174 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4414,6 +4414,10 @@ static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
.u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
.u.mlme.reason = reason,
};
+ struct sta_info *ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
+
+ if (WARN_ON(!ap_sta))
+ return;
if (tx)
cfg80211_tx_mlme_mgmt(sdata->dev, buf, len, reconnect);
@@ -8070,7 +8074,7 @@ static void ieee80211_sta_timer(struct timer_list *t)
void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
u8 reason, bool tx)
{
- u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+ u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN] = {0};
ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
tx, frame_buf);
--
2.25.1
Powered by blists - more mailing lists