All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com,
	Johannes Berg <johannes@sipsolutions.net>,
	Anant Thazhemadam <anant.thazhemadam@gmail.com>,
	Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.10 39/40] nl80211: validate key indexes for cfg80211_registered_device
Date: Wed, 23 Dec 2020 16:33:40 +0100	[thread overview]
Message-ID: <20201223150517.414201577@linuxfoundation.org> (raw)
In-Reply-To: <20201223150515.553836647@linuxfoundation.org>

From: Anant Thazhemadam <anant.thazhemadam@gmail.com>

commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream.

syzbot discovered a bug in which an OOB access was being made because
an unsuitable key_idx value was wrongly considered to be acceptable
while deleting a key in nl80211_del_key().

Since we don't know the cipher at the time of deletion, if
cfg80211_validate_key_settings() were to be called directly in
nl80211_del_key(), even valid keys would be wrongly determined invalid,
and deletion wouldn't occur correctly.
For this reason, a new function - cfg80211_valid_key_idx(), has been
created, to determine if the key_idx value provided is valid or not.
cfg80211_valid_key_idx() is directly called in 2 places -
nl80211_del_key(), and cfg80211_validate_key_settings().

Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com
Cc: stable@vger.kernel.org
[also disallow IGTK key IDs if no IGTK cipher is supported]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/core.h    |    2 +
 net/wireless/nl80211.c |    7 +++---
 net/wireless/util.c    |   51 +++++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 49 insertions(+), 11 deletions(-)

--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -433,6 +433,8 @@ void cfg80211_sme_abandon_assoc(struct w
 
 /* internal helpers */
 bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise);
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr);
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4260,9 +4260,6 @@ static int nl80211_del_key(struct sk_buf
 	if (err)
 		return err;
 
-	if (key.idx < 0)
-		return -EINVAL;
-
 	if (info->attrs[NL80211_ATTR_MAC])
 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
@@ -4278,6 +4275,10 @@ static int nl80211_del_key(struct sk_buf
 	    key.type != NL80211_KEYTYPE_GROUP)
 		return -EINVAL;
 
+	if (!cfg80211_valid_key_idx(rdev, key.idx,
+				    key.type == NL80211_KEYTYPE_PAIRWISE))
+		return -EINVAL;
+
 	if (!rdev->ops->del_key)
 		return -EOPNOTSUPP;
 
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -272,18 +272,53 @@ bool cfg80211_supported_cipher_suite(str
 	return false;
 }
 
-int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
-				   struct key_params *params, int key_idx,
-				   bool pairwise, const u8 *mac_addr)
+static bool
+cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev)
+{
+	struct wiphy *wiphy = &rdev->wiphy;
+	int i;
+
+	for (i = 0; i < wiphy->n_cipher_suites; i++) {
+		switch (wiphy->cipher_suites[i]) {
+		case WLAN_CIPHER_SUITE_AES_CMAC:
+		case WLAN_CIPHER_SUITE_BIP_CMAC_256:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_128:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_256:
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise)
 {
-	int max_key_idx = 5;
+	int max_key_idx;
 
-	if (wiphy_ext_feature_isset(&rdev->wiphy,
-				    NL80211_EXT_FEATURE_BEACON_PROTECTION) ||
-	    wiphy_ext_feature_isset(&rdev->wiphy,
-				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
+	if (pairwise)
+		max_key_idx = 3;
+	else if (wiphy_ext_feature_isset(&rdev->wiphy,
+					 NL80211_EXT_FEATURE_BEACON_PROTECTION) ||
+		 wiphy_ext_feature_isset(&rdev->wiphy,
+					 NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
 		max_key_idx = 7;
+	else if (cfg80211_igtk_cipher_supported(rdev))
+		max_key_idx = 5;
+	else
+		max_key_idx = 3;
+
 	if (key_idx < 0 || key_idx > max_key_idx)
+		return false;
+
+	return true;
+}
+
+int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
+				   struct key_params *params, int key_idx,
+				   bool pairwise, const u8 *mac_addr)
+{
+	if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise))
 		return -EINVAL;
 
 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))



  parent reply	other threads:[~2020-12-23 15:34 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-23 15:33 [PATCH 5.10 00/40] 5.10.3-rc1 review Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 01/40] net: ipconfig: Avoid spurious blank lines in boot log Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 02/40] x86/split-lock: Avoid returning with interrupts enabled Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 03/40] exfat: Avoid allocating upcase table using kcalloc() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 04/40] soc/tegra: fuse: Fix index bug in get_process_id Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 05/40] usb: mtu3: fix memory corruption in mtu3_debugfs_regset() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 06/40] USB: serial: option: add interface-number sanity check to flag handling Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 07/40] USB: gadget: f_acm: add support for SuperSpeed Plus Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 08/40] USB: gadget: f_midi: setup SuperSpeed Plus descriptors Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 09/40] usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 10/40] USB: gadget: f_rndis: fix bitrate for SuperSpeed and above Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 11/40] usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 12/40] ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 13/40] ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410 Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 14/40] ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 15/40] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 16/40] coresight: tmc-etr: Check if page is valid before dma_map_page() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 17/40] coresight: tmc-etr: Fix barrier packet insertion for perf buffer Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 18/40] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 19/40] coresight: etm4x: Skip setting LPOVERRIDE bit for qcom, skip-power-up Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 20/40] coresight: etm4x: Fix accesses to TRCVMIDCTLR1 Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 21/40] coresight: etm4x: Fix accesses to TRCCIDCTLR1 Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 22/40] coresight: etm4x: Fix accesses to TRCPROCSELR Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 23/40] coresight: etm4x: Handle TRCVIPCSSCTLR accesses Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 24/40] f2fs: fix to seek incorrect data offset in inline data file Greg Kroah-Hartman
2020-12-24  1:11   ` Chao Yu
2020-12-24  7:52     ` Greg Kroah-Hartman
2020-12-24  9:38       ` Chao Yu
2020-12-23 15:33 ` [PATCH 5.10 25/40] f2fs: init dirty_secmap incorrectly Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 26/40] scsi: megaraid_sas: Check user-provided offsets Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 27/40] HID: i2c-hid: add Vero K147 to descriptor override Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 28/40] serial_core: Check for port state when tty is in error state Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 29/40] fscrypt: remove kernel-internal constants from UAPI header Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 30/40] fscrypt: add fscrypt_is_nokey_name() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 31/40] ubifs: prevent creating duplicate encrypted filenames Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 32/40] ext4: " Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 33/40] f2fs: " Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 34/40] Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 35/40] quota: Sanity-check quota file headers on load Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 36/40] fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode() Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 37/40] media: msi2500: assign SPI bus number dynamically Greg Kroah-Hartman
2020-12-23 15:33 ` [PATCH 5.10 38/40] crypto: af_alg - avoid undefined behavior accessing salg_name Greg Kroah-Hartman
2020-12-23 15:33 ` Greg Kroah-Hartman [this message]
2020-12-23 15:33 ` [PATCH 5.10 40/40] md: fix a warning caused by a race between concurrent md_ioctl()s Greg Kroah-Hartman
2020-12-23 19:26 ` [PATCH 5.10 00/40] 5.10.3-rc1 review Jon Hunter
2020-12-26 15:07   ` Greg Kroah-Hartman
2020-12-24  0:56 ` Daniel Díaz
2020-12-26 15:07   ` Greg Kroah-Hartman
2020-12-24  9:43 ` Jeffrin Jose T
2020-12-26 15:06   ` Greg Kroah-Hartman
2020-12-27 15:50     ` Jeffrin Jose T
2020-12-27 16:05       ` Greg Kroah-Hartman
2020-12-27 21:33         ` Jeffrin Jose T
2020-12-28  9:50           ` Pavel Machek
2020-12-28 20:41             ` Guenter Roeck
2021-01-03 13:07               ` Jeffrin Jose T
2021-01-04  6:21                 ` Greg Kroah-Hartman
2021-01-06 19:38                   ` Jeffrin Jose T
2021-01-06 19:49                     ` Greg Kroah-Hartman
2021-01-06 23:56                       ` Jeffrin Jose T
2020-12-24 15:26 ` Guenter Roeck
2020-12-26 15:06   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201223150517.414201577@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=anant.thazhemadam@gmail.com \
    --cc=johannes.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.