Lin Ma 29e640ae64 wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one ... [ Upstream commit 2e3dbf9386 ] Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation. Fixes: 7b0a0e3c3a ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Lin Ma <linma@zju.edu.cn> Suggested-by: Cengiz Can <cengiz.can@canonical.com> Link: https://patch.msgid.link/20241130170526.96698-1-linma@zju.edu.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-12-19 18:08:51 +01:00
..
certs	wifi: cfg80211: fix certs build to not depend on file order	2024-01-01 12:39:02 +00:00
.gitignore	.gitignore: add SPDX License Identifier	2020-03-25 11:50:48 +01:00
ap.c	wifi: cfg80211: do some rework towards MLO link APIs	2022-06-20 12:54:58 +02:00
chan.c	wifi: nl80211: relax wdev mutex check in wdev_chandef()	2022-07-01 11:42:58 +02:00
core.c	wifi: cfg80211: clear wdev->cqm_config pointer on free	2024-11-08 16:26:45 +01:00
core.h	Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"	2024-09-30 16:23:55 +02:00
debugfs.c	wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()	2022-08-25 10:04:46 +02:00
debugfs.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
ethtool.c	wifi: cfg80211: use strscpy to replace strlcpy	2022-07-15 11:43:12 +02:00
ibss.c	wifi: cfg80211: Add link_id parameter to various key operations for MLO	2022-08-25 10:41:05 +02:00
Kconfig	cfg80211: select CONFIG_CRC32	2021-01-05 15:50:36 -08:00
lib80211_crypt_ccmp.c	wifi: use struct_group to copy addresses	2022-09-03 16:40:06 +02:00
lib80211_crypt_tkip.c	mm, treewide: rename kzfree() to kfree_sensitive()	2020-08-07 11:33:22 -07:00
lib80211_crypt_wep.c	mm, treewide: rename kzfree() to kfree_sensitive()	2020-08-07 11:33:22 -07:00
lib80211.c	lib80211: Remove unused macro DRV_NAME	2020-09-18 11:53:00 +02:00
Makefile	cfg80211: fix CONFIG_CFG80211_EXTRA_REGDB_KEYDIR typo	2022-03-01 14:10:14 +01:00
mesh.c	wifi: cfg80211: do some rework towards MLO link APIs	2022-06-20 12:54:58 +02:00
mlme.c	wifi: cfg80211: reject auth/assoc to AP with our address	2023-09-23 11:11:03 +02:00
nl80211.c	wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one	2024-12-19 18:08:51 +01:00
nl80211.h	wifi: cfg80211/nl80211: move rx management data into a struct	2022-07-22 14:28:26 +02:00
ocb.c	wifi: cfg80211: ocb: don't leave if not joined	2023-09-23 11:11:03 +02:00
of.c	cfg80211: support ieee80211-freq-limit DT property	2017-01-06 14:01:13 +01:00
pmsr.c	wifi: cfg80211: pmsr: use correct nla_get_uX functions	2024-06-21 14:35:31 +02:00
radiotap.c	mac80211: Use flex-array for radiotap header bitmap	2021-08-13 09:58:25 +02:00
rdev-ops.h	wifi: cfg80211: fix 6 GHz scan request building	2024-07-25 09:49:09 +02:00
reg.c	wifi: cfg80211: fix regulatory disconnect for non-MLO	2023-07-19 16:22:09 +02:00
reg.h	cfg80211: avoid holding the RTNL when calling the driver	2021-01-26 11:55:50 +01:00
scan.c	wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()	2024-10-17 15:20:41 +02:00
sme.c	wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors	2024-10-17 15:20:41 +02:00
sysfs.c	wifi: cfg80211: fully move wiphy work to unbound workqueue	2024-06-21 14:35:31 +02:00
sysfs.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
trace.c
trace.h	wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class	2024-06-12 11:02:58 +02:00
util.c	wifi: cfg80211: fix receiving mesh packets without RFC1042 header	2024-08-29 17:30:55 +02:00
wext-compat.c	wifi: cfg80211: Add link_id parameter to various key operations for MLO	2022-08-25 10:41:05 +02:00
wext-compat.h	treewide: Add SPDX license identifier for missed files	2019-05-21 10:50:45 +02:00
wext-core.c	wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()	2023-07-27 08:50:35 +02:00
wext-priv.c
wext-proc.c	proc: introduce proc_create_net{,_data}	2018-05-16 07:24:30 +02:00
wext-sme.c	wifi: cfg80211: do some rework towards MLO link APIs	2022-06-20 12:54:58 +02:00
wext-spy.c	wireless: wext-spy: Fix out-of-bounds warning	2021-06-23 10:57:17 +02:00