|
| 1 | +wifi: mac80211: Avoid address calculations via out of bounds array indexing |
| 2 | + |
| 3 | +jira LE-3201 |
| 4 | +cve CVE-2024-41071 |
| 5 | +Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10 |
| 6 | +commit-author Kenton Groombridge < [email protected]> |
| 7 | +commit 2663d0462eb32ae7c9b035300ab6b1523886c718 |
| 8 | +Empty-Commit: Cherry-Pick Conflicts during history rebuild. |
| 9 | +Will be included in final tarball splat. Ref for failed cherry-pick at: |
| 10 | +ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed |
| 11 | + |
| 12 | +req->n_channels must be set before req->channels[] can be used. |
| 13 | + |
| 14 | +This patch fixes one of the issues encountered in [1]. |
| 15 | + |
| 16 | +[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 |
| 17 | +[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' |
| 18 | +[...] |
| 19 | +[ 83.964264] Call Trace: |
| 20 | +[ 83.964267] <TASK> |
| 21 | +[ 83.964269] dump_stack_lvl+0x3f/0xc0 |
| 22 | +[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 |
| 23 | +[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 |
| 24 | +[ 83.964281] __ieee80211_start_scan+0x601/0x990 |
| 25 | +[ 83.964291] nl80211_trigger_scan+0x874/0x980 |
| 26 | +[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 |
| 27 | +[ 83.964298] genl_rcv_msg+0x240/0x270 |
| 28 | +[...] |
| 29 | + |
| 30 | +[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 |
| 31 | + |
| 32 | +Co-authored-by: Kees Cook < [email protected]> |
| 33 | + Signed-off-by: Kees Cook < [email protected]> |
| 34 | + Signed-off-by: Kenton Groombridge < [email protected]> |
| 35 | +Link: https://msgid.link/ [email protected] |
| 36 | + Signed-off-by: Johannes Berg < [email protected]> |
| 37 | +(cherry picked from commit 2663d0462eb32ae7c9b035300ab6b1523886c718) |
| 38 | + Signed-off-by: Jonathan Maple < [email protected]> |
| 39 | + |
| 40 | +# Conflicts: |
| 41 | +# net/mac80211/scan.c |
| 42 | +diff --cc net/mac80211/scan.c |
| 43 | +index 8428841d4760,b5f2df61c7f6..000000000000 |
| 44 | +--- a/net/mac80211/scan.c |
| 45 | ++++ b/net/mac80211/scan.c |
| 46 | +@@@ -391,11 -394,10 +393,15 @@@ static bool ieee80211_prep_hw_scan(stru |
| 47 | + } |
| 48 | + |
| 49 | + local->hw_scan_band++; |
| 50 | +- } while (!n_chans); |
| 51 | ++ } while (!*n_chans); |
| 52 | + } |
| 53 | + |
| 54 | +++<<<<<<< HEAD |
| 55 | + + local->hw_scan_req->req.n_channels = n_chans; |
| 56 | + + ieee80211_prepare_scan_chandef(&chandef, req->scan_width); |
| 57 | +++======= |
| 58 | ++ ieee80211_prepare_scan_chandef(&chandef); |
| 59 | +++>>>>>>> 2663d0462eb3 (wifi: mac80211: Avoid address calculations via out of bounds array indexing) |
| 60 | + |
| 61 | + if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT) |
| 62 | + flags |= IEEE80211_PROBE_FLAG_MIN_CONTENT; |
| 63 | +* Unmerged path net/mac80211/scan.c |
0 commit comments