| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2d1a41aa000c8de8f82827bd8c06459e01f10423.camel@sipsolutions.net> Date: Fri, 18 Jul 2025 17:57:27 +0200 From: Johannes Berg <johannes@...solutions.net> To: Eric Biggers <ebiggers@...nel.org>, linux-wireless@...r.kernel.org Cc: syzbot <syzbot+d1008c24929007591b6b@...kaller.appspotmail.com>, ardb@...nel.org, bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, mingo@...hat.com, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com, tglx@...utronix.de, x86@...nel.org Subject: Re: [syzbot] [wireless] BUG: unable to handle kernel paging request in ieee80211_wep_encrypt On Fri, 2025-07-18 at 07:50 -0700, Eric Biggers wrote: > > > > BUG: unable to handle page fault for address: ffff8880bfffd000 [...] > > Call Trace: > > <TASK> > > crc32_le_arch+0x56/0xa0 arch/x86/lib/crc32.c:21 > > crc32_le include/linux/crc32.h:18 [inline] > > ieee80211_wep_encrypt_data net/mac80211/wep.c:114 [inline] > > ieee80211_wep_encrypt+0x228/0x410 net/mac80211/wep.c:158 [...] > > nl80211_tx_mgmt+0x9fd/0xd50 net/wireless/nl80211.c:12921 > > syzbot assigned this to the "crypto" subsystem. However, the crash > happened in crc32_le() which is not part of the crypto subsystem. Also, > crc32_le() is well-tested (e.g. by crc_kunit), and the bug is unlikely > to be there. Rather, the calling code in ieee80211_wep_encrypt_data() > is passing an invalid data buffer to crc32_le(). So let's do: Agree, that makes sense, looks like we never check the frame length correctly. Since there's no reproducer (yet) I guess we won't be testing against it with syzbot though :) johannes
Powered by blists - more mailing lists