From patchwork Fri Sep 13 02:39:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Koichiro Den <koichiro.den@canonical.com>
X-Patchwork-Id: 1984945
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4dnk3nLdz1y2L
	for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 12:40:09 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sowDz-0007I7-7Y; Fri, 13 Sep 2024 02:39:55 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <koichiro.den@canonical.com>)
 id 1sowDw-0007Hj-Oq
 for kernel-team@lists.ubuntu.com; Fri, 13 Sep 2024 02:39:52 +0000
Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com
 [209.85.210.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 46FC73F324
 for <kernel-team@lists.ubuntu.com>; Fri, 13 Sep 2024 02:39:52 +0000 (UTC)
Received: by mail-pf1-f199.google.com with SMTP id
 d2e1a72fcca58-7191f154abdso730748b3a.2
 for <kernel-team@lists.ubuntu.com>; Thu, 12 Sep 2024 19:39:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1726195190; x=1726799990;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=gEJzR5aiu6dCMViv41Yhrrhqu28gkRjGAGoURGBI0wA=;
 b=qVoCGQN7R9g513lUwE7Aaahgqckz06vKYWCH+9JkqbZWXU90iE6lo+wWFAj1rq18ZB
 KUMfhS1EJzaTojJVL8LejCJMn12wpt+XUia+DcB3eZS6iyZ+HlmnNLs5XIvTjfnNKdws
 1a+n8/FmCzuZJwVuANipNgOPQ9RzOzEZpwJhvHHcC3kKa96AX1pXaH0DW4T5I5pmfsYd
 1KrtCuoMnjs7VuiMVLBDSAl/14kiKBaaVTt1XY09bQo4N4FXOxFDt62sWgl7bgglid2d
 GXYuYz6M8M663lOA/zibUwvIEoCxrke3ms2rkq34pmOxVqXJAYMT3CAvhSb6fteH+eEc
 bxzQ==
X-Gm-Message-State: AOJu0YygNMNnCHx3mLlA1RxIbKSNlCLAFDKr9fVO6cLknpWh8Su5JEE2
 iWps0kkgVuz0In+oxHm2SVprElxhhxkHUENCsZjvWFH2Cq7w1LduVMXp9mhlt3dAmHo6IP6RF63
 ia6nTWjRhNZ85qclyxeewqmIWV86NxidyX9LvfFih8n88QeaqL5NcZCGqWWz2bVBpFv104/bGFO
 efoPKROCs0oQ==
X-Received: by 2002:a05:6a21:3117:b0:1cf:4cff:7fd4 with SMTP id
 adf61e73a8af0-1d112b68e66mr2322298637.19.1726195190442;
 Thu, 12 Sep 2024 19:39:50 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IE3Q5fLMrPQBVm6mmRtzZps7RFf+t4+G90FCttuZ7DiLb27FopATy1nyqedLXsh1C4sB0S6vw==
X-Received: by 2002:a05:6a21:3117:b0:1cf:4cff:7fd4 with SMTP id
 adf61e73a8af0-1d112b68e66mr2322244637.19.1726195189808;
 Thu, 12 Sep 2024 19:39:49 -0700 (PDT)
Received: from localhost.localdomain ([240f:74:7be:1:c226:9335:7ec4:be63])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-719090ad428sm5390412b3a.142.2024.09.12.19.39.48
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 12 Sep 2024 19:39:49 -0700 (PDT)
From: Koichiro Den <koichiro.den@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 1/1] wifi: mac80211: Avoid address calculations via
 out of bounds array indexing
Date: Fri, 13 Sep 2024 11:39:24 +0900
Message-ID: <20240913023927.1599665-2-koichiro.den@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240913023927.1599665-1-koichiro.den@canonical.com>
References: <20240913023927.1599665-1-koichiro.den@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Kenton Groombridge <concord@gentoo.org>

req->n_channels must be set before req->channels[] can be used.

This patch fixes one of the issues encountered in [1].

[   83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
[   83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
[...]
[   83.964264] Call Trace:
[   83.964267]  <TASK>
[   83.964269]  dump_stack_lvl+0x3f/0xc0
[   83.964274]  __ubsan_handle_out_of_bounds+0xec/0x110
[   83.964278]  ieee80211_prep_hw_scan+0x2db/0x4b0
[   83.964281]  __ieee80211_start_scan+0x601/0x990
[   83.964291]  nl80211_trigger_scan+0x874/0x980
[   83.964295]  genl_family_rcv_msg_doit+0xe8/0x160
[   83.964298]  genl_rcv_msg+0x240/0x270
[...]

[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810

Co-authored-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Link: https://msgid.link/20240605152218.236061-1-concord@gentoo.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(backported from commit 2663d0462eb32ae7c9b035300ab6b1523886c718)
[koichiroden: Adjusted context due to missing commit
 5add321c329b ("wifi: cfg80211: remove scan_width support")]
CVE-2024-41071
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
---
 net/mac80211/scan.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 3bf3dd4bafa5..bf28e4722055 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -353,7 +353,8 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata)
 	struct cfg80211_scan_request *req;
 	struct cfg80211_chan_def chandef;
 	u8 bands_used = 0;
-	int i, ielen, n_chans;
+	int i, ielen;
+	u32 *n_chans;
 	u32 flags = 0;
 
 	req = rcu_dereference_protected(local->scan_req,
@@ -363,34 +364,34 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata)
 		return false;
 
 	if (ieee80211_hw_check(&local->hw, SINGLE_SCAN_ON_ALL_BANDS)) {
+		local->hw_scan_req->req.n_channels = req->n_channels;
+
 		for (i = 0; i < req->n_channels; i++) {
 			local->hw_scan_req->req.channels[i] = req->channels[i];
 			bands_used |= BIT(req->channels[i]->band);
 		}
-
-		n_chans = req->n_channels;
 	} else {
 		do {
 			if (local->hw_scan_band == NUM_NL80211_BANDS)
 				return false;
 
-			n_chans = 0;
+			n_chans = &local->hw_scan_req->req.n_channels;
+			*n_chans = 0;
 
 			for (i = 0; i < req->n_channels; i++) {
 				if (req->channels[i]->band !=
 				    local->hw_scan_band)
 					continue;
-				local->hw_scan_req->req.channels[n_chans] =
+				local->hw_scan_req->req.channels[(*n_chans)++] =
 							req->channels[i];
-				n_chans++;
+
 				bands_used |= BIT(req->channels[i]->band);
 			}
 
 			local->hw_scan_band++;
-		} while (!n_chans);
+		} while (!*n_chans);
 	}
 
-	local->hw_scan_req->req.n_channels = n_chans;
 	ieee80211_prepare_scan_chandef(&chandef, req->scan_width);
 
 	if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT)