lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <12490f84-6b0c-41c0-9129-f02ccbeaa24c@embeddedor.com>
Date: Fri, 9 May 2025 13:10:56 -0600
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Kees Cook <kees@...nel.org>, Edward Adam Davis <eadavis@...com>
Cc: syzbot+4bcdddd48bb6f0be0da1@...kaller.appspotmail.com,
 Johannes Berg <johannes@...solutions.net>, linux-wireless@...r.kernel.org,
 "Gustavo A. R. Silva" <gustavoars@...nel.org>,
 Jeff Johnson <jeff.johnson@....qualcomm.com>, linux-kernel@...r.kernel.org,
 linux-hardening@...r.kernel.org
Subject: Re: [PATCH] wifi: mac80211: Set n_channels after allocating struct
 cfg80211_scan_request



On 09/05/25 12:46, Kees Cook wrote:
> Make sure that n_channels is set after allocating the
> struct cfg80211_registered_device::int_scan_req member. Seen with
> syzkaller:
> 
> UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5
> index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')
> 
> This was missed in the initial conversions because I failed to locate
> the allocation likely due to the "sizeof(void *)" not matching the
> "channels" array type.
> 
> Reported-by: syzbot+4bcdddd48bb6f0be0da1@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/680fd171.050a0220.2b69d1.045e.GAE@google.com/
> Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by")
> Signed-off-by: Kees Cook <kees@...nel.org>

Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>

Thanks!
-Gustavo

> ---
> Cc: Edward Adam Davis <eadavis@...com>
> Cc: Johannes Berg <johannes@...solutions.net>
> Cc: <linux-wireless@...r.kernel.org>
> ---
>   net/mac80211/main.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/mac80211/main.c b/net/mac80211/main.c
> index 741e6c7edcb7..6b6de43d9420 100644
> --- a/net/mac80211/main.c
> +++ b/net/mac80211/main.c
> @@ -1354,10 +1354,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
>   	hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR);
>   
>   
> -	local->int_scan_req = kzalloc(sizeof(*local->int_scan_req) +
> -				      sizeof(void *) * channels, GFP_KERNEL);
> +	local->int_scan_req = kzalloc(struct_size(local->int_scan_req,
> +						  channels, channels),
> +				      GFP_KERNEL);
>   	if (!local->int_scan_req)
>   		return -ENOMEM;
> +	local->int_scan_req->n_channels = channels;
>   
>   	eth_broadcast_addr(local->int_scan_req->bssid);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ