Skip to content

Commit 6042ceb

Browse files
committed
wifi: mac80211: Avoid address calculations via out of bounds array indexing
jira LE-3201 cve CVE-2024-41071 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10 commit-author Kenton Groombridge <[email protected]> commit 2663d04 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] <TASK> [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 Co-authored-by: Kees Cook <[email protected]> Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Kenton Groombridge <[email protected]> Link: https://msgid.link/[email protected] Signed-off-by: Johannes Berg <[email protected]> (cherry picked from commit 2663d04) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # net/mac80211/scan.c
1 parent 24c39aa commit 6042ceb

File tree

1 file changed

+63
-0
lines changed

1 file changed

+63
-0
lines changed
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
wifi: mac80211: Avoid address calculations via out of bounds array indexing
2+
3+
jira LE-3201
4+
cve CVE-2024-41071
5+
Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
6+
commit-author Kenton Groombridge <[email protected]>
7+
commit 2663d0462eb32ae7c9b035300ab6b1523886c718
8+
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
9+
Will be included in final tarball splat. Ref for failed cherry-pick at:
10+
ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/2663d046.failed
11+
12+
req->n_channels must be set before req->channels[] can be used.
13+
14+
This patch fixes one of the issues encountered in [1].
15+
16+
[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
17+
[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
18+
[...]
19+
[ 83.964264] Call Trace:
20+
[ 83.964267] <TASK>
21+
[ 83.964269] dump_stack_lvl+0x3f/0xc0
22+
[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110
23+
[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0
24+
[ 83.964281] __ieee80211_start_scan+0x601/0x990
25+
[ 83.964291] nl80211_trigger_scan+0x874/0x980
26+
[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160
27+
[ 83.964298] genl_rcv_msg+0x240/0x270
28+
[...]
29+
30+
[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810
31+
32+
Co-authored-by: Kees Cook <[email protected]>
33+
Signed-off-by: Kees Cook <[email protected]>
34+
Signed-off-by: Kenton Groombridge <[email protected]>
35+
Link: https://msgid.link/[email protected]
36+
Signed-off-by: Johannes Berg <[email protected]>
37+
(cherry picked from commit 2663d0462eb32ae7c9b035300ab6b1523886c718)
38+
Signed-off-by: Jonathan Maple <[email protected]>
39+
40+
# Conflicts:
41+
# net/mac80211/scan.c
42+
diff --cc net/mac80211/scan.c
43+
index 8428841d4760,b5f2df61c7f6..000000000000
44+
--- a/net/mac80211/scan.c
45+
+++ b/net/mac80211/scan.c
46+
@@@ -391,11 -394,10 +393,15 @@@ static bool ieee80211_prep_hw_scan(stru
47+
}
48+
49+
local->hw_scan_band++;
50+
- } while (!n_chans);
51+
+ } while (!*n_chans);
52+
}
53+
54+
++<<<<<<< HEAD
55+
+ local->hw_scan_req->req.n_channels = n_chans;
56+
+ ieee80211_prepare_scan_chandef(&chandef, req->scan_width);
57+
++=======
58+
+ ieee80211_prepare_scan_chandef(&chandef);
59+
++>>>>>>> 2663d0462eb3 (wifi: mac80211: Avoid address calculations via out of bounds array indexing)
60+
61+
if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT)
62+
flags |= IEEE80211_PROBE_FLAG_MIN_CONTENT;
63+
* Unmerged path net/mac80211/scan.c

0 commit comments

Comments
 (0)