| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250403190209.2675485-35-sashal@kernel.org>
Date: Thu, 3 Apr 2025 15:01:50 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Cc: Johannes Berg <johannes.berg@...el.com>,
Ilan Peer <ilan.peer@...el.com>,
Miri Korenblit <miriam.rachel.korenblit@...el.com>,
Sasha Levin <sashal@...nel.org>,
johannes@...solutions.net,
linux-wireless@...r.kernel.org
Subject: [PATCH AUTOSEL 6.14 35/54] wifi: mac80211: fix userspace_selectors corruption
From: Johannes Berg <johannes.berg@...el.com>
[ Upstream commit 700014d3ad1fd6e55c8f9ffa817514d3fbb5286e ]
Spotted during code review, the selectors need to be large
enough for a 128-bit bitmap, not a single unsigned long,
otherwise we have stack corruption.
We should also allow passing selectors from userspace, but
that should be a separate change.
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Reviewed-by: Ilan Peer <ilan.peer@...el.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@...el.com>
Link: https://patch.msgid.link/20250308225541.8f1bcf96a504.Ibeb8970c82a30c97279a4cc4e68faca5df1813a5@changeid
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
net/mac80211/mlme.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 64fa3fba244eb..4951e4fa7373a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -9648,8 +9648,6 @@ EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
static void ieee80211_ml_reconf_selectors(unsigned long *userspace_selectors)
{
- *userspace_selectors = 0;
-
/* these selectors are mandatory for ML reconfiguration */
set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E, userspace_selectors);
set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, userspace_selectors);
@@ -9669,7 +9667,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
sdata->u.mgd.reconf.removed_links;
u16 link_mask, valid_links;
unsigned int link_id;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
size_t orig_len = len;
u8 i, group_key_data_len;
u8 *pos;
@@ -9777,7 +9775,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
}
ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
link_mask = 0;
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
@@ -9823,7 +9821,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
link->u.mgd.conn = add_links_data->link[link_id].conn;
if (ieee80211_prep_channel(sdata, link, link_id, cbss,
true, &link->u.mgd.conn,
- &userspace_selectors)) {
+ userspace_selectors)) {
link_info(link, "mlo: reconf: prep_channel failed\n");
goto disconnect;
}
@@ -10157,14 +10155,14 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
*/
if (added_links) {
bool uapsd_supported;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
uapsd_supported = true;
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
link_id++) {
struct ieee80211_supported_band *sband;
@@ -10240,7 +10238,7 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
data->link[link_id].bss,
true,
&data->link[link_id].conn,
- &userspace_selectors);
+ userspace_selectors);
if (err)
goto err_free;
}
--
2.39.5
Powered by blists - more mailing lists