lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFD3drMqc9YWvTCSHLyP89AOpBZsHdZ+pak6zVftYoZcUyF7gw@mail.gmail.com>
Date: Fri, 23 Jan 2026 22:26:26 -0500
From: Ruikai Peng <ruikai@...o.io>
To: linux-wireless@...r.kernel.org
Cc: johannes@...solutions.net, linux-kernel@...r.kernel.org
Subject: [BUG] mac80211: TTLM advertised T2L parsing reads 1 byte past element
 end with DEF_LINK_MAP

Hi,

I believe there is a remotely-triggerable out-of-bounds read in
mac80211 TTLM parsing.

ieee80211_parse_adv_t2l() unconditionally reads the first byte of
ttlm->optional:
link_map_presence = *pos; ieee80211_tid_to_link_map_size_ok() permits
DEF_LINK_MAP with no optional bytes
(minimum element length == sizeof(struct ieee80211_ttlm_elem)). So a
minimal TTLM element with DEF_LINK_MAP passes validation but causes
the parser to read 1 byte past the element boundary.

Input
- Extension IE: EID=0xFF, LEN=0x02, EXT_ID=0x6D (TTLM)
- CONTROL=0x06 (DIR=BOTH + DEF_LINK_MAP)
- Byte sequence: ff 02 6d 06

Reachability
- Assoc response path: ieee80211_assoc_success() -> ieee80211_parse_adv_t2l()
- Beacon path: ieee80211_process_adv_ttlm() -> ieee80211_parse_adv_t2l()

This would result in a OOB read of 1 byte (element-level; may still be
inside the skb buffer). Value is unused when DEF_LINK_MAP is set, so
exploitability appears low.

Repro:
MLO association using hwsim + hostapd/wpa_supplicant; Advertise the
minimal TTLM IE in beacon + assocresp; I used GDB confirms
ttlm->optional == end-of-element, then parser reads *pos.
(Additional writeup: https://bugs.pwno.io/private/95a10f11e34e89d5)

I recommend defer reading *pos until after DEF_LINK_MAP check, or
require at least 1 optional byte in validation when DEF_LINK_MAP is
set.

I can provide a small patch if you'd like.
- Ruikai Peng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ