* [PATCH] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
@ 2020-10-07 3:54 Anant Thazhemadam
2020-10-08 20:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Anant Thazhemadam @ 2020-10-07 3:54 UTC (permalink / raw)
Cc: linux-kernel-mentees, Anant Thazhemadam,
syzbot+b1bb342d1d097516cbda, Johannes Berg, David S. Miller,
Jakub Kicinski, linux-wireless, netdev, linux-kernel
In nl80211_parse_key(), key.idx is first initialized as -1.
If this value of key.idx remains unmodified and gets returned, and
nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
with key.idx = -1.
This causes an out-of-bounds array access.
Handle this issue by checking if the value of key.idx after
nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 2c9e9a2d1688..7fd45f6ddb05 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4172,6 +4172,9 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
if (err)
return err;
+ if (key.idx < 0)
+ return -EINVAL;
+
if (info->attrs[NL80211_ATTR_MAC])
mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
2020-10-07 3:54 [PATCH] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() Anant Thazhemadam
@ 2020-10-08 20:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2020-10-08 20:00 UTC (permalink / raw)
To: Anant Thazhemadam
Cc: linux-kernel-mentees, syzbot+b1bb342d1d097516cbda, johannes,
davem, kuba, linux-wireless, netdev, linux-kernel
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Wed, 7 Oct 2020 09:24:01 +0530 you wrote:
> In nl80211_parse_key(), key.idx is first initialized as -1.
> If this value of key.idx remains unmodified and gets returned, and
> nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
> with key.idx = -1.
> This causes an out-of-bounds array access.
>
> Handle this issue by checking if the value of key.idx after
> nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
>
> [...]
Here is the summary with links:
- net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
https://git.kernel.org/netdev/net/c/3dc289f8f139
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-08 20:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-07 3:54 [PATCH] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() Anant Thazhemadam
2020-10-08 20:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).