lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202505091124.40FF7F9B1@keescook>
Date: Fri, 9 May 2025 11:35:01 -0700
From: Kees Cook <kees@...nel.org>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot <syzbot+4bcdddd48bb6f0be0da1@...kaller.appspotmail.com>,
	johannes@...solutions.net, linux-kernel@...r.kernel.org,
	linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] UBSAN: array-index-out-of-bounds in
 ieee80211_request_ibss_scan

On Mon, Apr 28, 2025 at 12:05:21PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17ca0374580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=90837c100b88a636
> dashboard link: https://syzkaller.appspot.com/bug?extid=4bcdddd48bb6f0be0da1
> compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11a39d74580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106fa270580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-5bc10186.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3a2f39285e07/vmlinux-5bc10186.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2a37a55f34fb/bzImage-5bc10186.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/cc5918853785/mount_4.gz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4bcdddd48bb6f0be0da1@...kaller.appspotmail.com
> 
> wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
> wlan1: Trigger new scan to find an IBSS to join
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5
> index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')
> CPU: 0 UID: 0 PID: 131 Comm: kworker/u4:5 Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Workqueue: events_unbound cfg80211_wiphy_work
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>  ubsan_epilogue+0xa/0x40 lib/ubsan.c:231
>  __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:453
>  ieee80211_request_ibss_scan+0x600/0x8b0 net/mac80211/scan.c:1208

This looks like another case of using the array before specifying the
valid entries:

...
                                local->int_scan_req->channels[n_ch] = tmp_ch;
                                n_ch++;
                        }
                }
		...
                local->int_scan_req->n_channels = n_ch;

n_channels controls what array array entries are valid.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ