lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+5R2B00zkjocOOSWRLB0ZNBgjdMLSBbUFpcTOH=9obAw@mail.gmail.com> Date: Tue, 4 Apr 2023 19:01:15 +0200 From: Eric Dumazet <edumazet@...gle.com> To: Simon Horman <simon.horman@...igine.com> Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Johannes Berg <johannes@...solutions.net>, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, eric.dumazet@...il.com, syzbot <syzkaller@...glegroups.com>, Jaewan Kim <jaewan@...gle.com>, Johannes Berg <johannes.berg@...el.com> Subject: Re: [PATCH net] mac80211_hwsim: fix potential NULL deref in hwsim_pmsr_report_nl() On Tue, Apr 4, 2023 at 6:18 PM Simon Horman <simon.horman@...igine.com> wrote: > > On Tue, Apr 04, 2023 at 01:48:03PM +0000, Eric Dumazet wrote: > > syzbot reported a NULL deref caused by a missing check > > in hwsim_pmsr_report_nl(), and bisected the issue to cited commit. > > > > Hi Eric, > > I think this is for net-next / wireless-next as > the above mentioned patch does not seem to be in Linus's tree. Oh right, script error on my side. This was generated from -next tree. > > > --- > > drivers/net/wireless/virtual/mac80211_hwsim.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c > > index f446d8f6e1f6e1df108db00e898fa02970162585..701e14b8e6fe0cae7ee2478c8dff0f2327b54a70 100644 > > --- a/drivers/net/wireless/virtual/mac80211_hwsim.c > > +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c > > @@ -3761,6 +3761,8 @@ static int hwsim_pmsr_report_nl(struct sk_buff *msg, struct genl_info *info) > > int rem; > > > > src = nla_data(info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]); > > + if (!src) > > + return -EINVAL; > > data = get_hwsim_data_ref_from_addr(src); > > if (!data) > > return -EINVAL; > > I could well be wrong, but this looks a little odd given that nla_data is: > > static inline void *nla_data(const struct nlattr *nla) > { > return (char *) nla + NLA_HDRLEN; > } > > Perhaps we want something like this (*compile tested only!*) ? > > if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]) > return -EINVAL; > src = nla_data(info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]); Oh right, thanks for reviewing this :) I will send a V2 soon.
Powered by blists - more mailing lists