stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com,
	Johannes Berg <johannes@sipsolutions.net>,
	Anant Thazhemadam <anant.thazhemadam@gmail.com>,
	Johannes Berg <johannes.berg@intel.com>,
	Zubin Mithra <zsm@chromium.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 03/58] nl80211: validate key indexes for cfg80211_registered_device
Date: Tue,  8 Jun 2021 20:26:44 +0200	[thread overview]
Message-ID: <20210608175932.382250541@linuxfoundation.org> (raw)
In-Reply-To: <20210608175932.263480586@linuxfoundation.org>

From: Anant Thazhemadam <anant.thazhemadam@gmail.com>

commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream

syzbot discovered a bug in which an OOB access was being made because
an unsuitable key_idx value was wrongly considered to be acceptable
while deleting a key in nl80211_del_key().

Since we don't know the cipher at the time of deletion, if
cfg80211_validate_key_settings() were to be called directly in
nl80211_del_key(), even valid keys would be wrongly determined invalid,
and deletion wouldn't occur correctly.
For this reason, a new function - cfg80211_valid_key_idx(), has been
created, to determine if the key_idx value provided is valid or not.
cfg80211_valid_key_idx() is directly called in 2 places -
nl80211_del_key(), and cfg80211_validate_key_settings().

Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com
Cc: stable@vger.kernel.org
[also disallow IGTK key IDs if no IGTK cipher is supported]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/core.h    |  2 ++
 net/wireless/nl80211.c |  7 ++++---
 net/wireless/util.c    | 39 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/net/wireless/core.h b/net/wireless/core.h
index f5d58652108d..5f177dad2fa8 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -404,6 +404,8 @@ void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev);
 
 /* internal helpers */
 bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise);
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5f0605275fa3..04c4fd376e1d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3624,9 +3624,6 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
 	if (err)
 		return err;
 
-	if (key.idx < 0)
-		return -EINVAL;
-
 	if (info->attrs[NL80211_ATTR_MAC])
 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
@@ -3642,6 +3639,10 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
 	    key.type != NL80211_KEYTYPE_GROUP)
 		return -EINVAL;
 
+	if (!cfg80211_valid_key_idx(rdev, key.idx,
+				    key.type == NL80211_KEYTYPE_PAIRWISE))
+		return -EINVAL;
+
 	if (!rdev->ops->del_key)
 		return -EOPNOTSUPP;
 
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 6f9cff2ee795..c4536468dfbe 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -214,11 +214,48 @@ bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher)
 	return false;
 }
 
+static bool
+cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev)
+{
+	struct wiphy *wiphy = &rdev->wiphy;
+	int i;
+
+	for (i = 0; i < wiphy->n_cipher_suites; i++) {
+		switch (wiphy->cipher_suites[i]) {
+		case WLAN_CIPHER_SUITE_AES_CMAC:
+		case WLAN_CIPHER_SUITE_BIP_CMAC_256:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_128:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_256:
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise)
+{
+	int max_key_idx;
+
+	if (pairwise)
+		max_key_idx = 3;
+	else if (cfg80211_igtk_cipher_supported(rdev))
+		max_key_idx = 5;
+	else
+		max_key_idx = 3;
+
+	if (key_idx < 0 || key_idx > max_key_idx)
+		return false;
+
+	return true;
+}
+
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr)
 {
-	if (key_idx < 0 || key_idx > 5)
+	if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise))
 		return -EINVAL;
 
 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
-- 
2.30.2




  parent reply	other threads:[~2021-06-08 18:39 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-08 18:26 [PATCH 4.19 00/58] 4.19.194-rc1 review Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 01/58] net: usb: cdc_ncm: dont spew notifications Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 02/58] ALSA: usb: update old-style static const declaration Greg Kroah-Hartman
2021-06-08 18:26 ` Greg Kroah-Hartman [this message]
2021-06-08 18:26 ` [PATCH 4.19 04/58] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 05/58] efi: cper: fix snprintf() use in cper_dimm_err_location() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 06/58] vfio/pci: Fix error return code in vfio_ecap_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 07/58] vfio/pci: zap_vma_ptes() needs MMU Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 08/58] samples: vfio-mdev: fix error handing in mdpy_fb_probe() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 09/58] vfio/platform: fix module_put call in error flow Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 10/58] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 11/58] HID: pidff: fix error return code in hid_pidff_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 12/58] HID: i2c-hid: fix format string mismatch Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 13/58] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 14/58] ieee802154: fix error return code in ieee802154_add_iface() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 15/58] ieee802154: fix error return code in ieee802154_llsec_getparams() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 16/58] ixgbevf: add correct exception tracing for XDP Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 17/58] tipc: add extack messages for bearer/media failure Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.19 18/58] tipc: fix unique bearer names sanity check Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 19/58] Bluetooth: fix the erroneous flush_work() order Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 20/58] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 21/58] net: caif: added cfserl_release function Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 22/58] net: caif: add proper error handling Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 23/58] net: caif: fix memory leak in caif_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 24/58] net: caif: fix memory leak in cfusbl_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 25/58] HID: multitouch: require Finger field to mark Win8 reports as MT Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 26/58] ALSA: timer: Fix master timer notification Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 27/58] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 28/58] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators Greg Kroah-Hartman
2021-06-08 19:09   ` Sudip Mukherjee
2021-06-09  6:25     ` Greg Kroah-Hartman
2021-06-08 19:13   ` Naresh Kamboju
2021-06-09  6:25     ` Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 29/58] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 30/58] usb: dwc2: Fix build in periphal-only mode Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 31/58] pid: take a reference when initializing `cad_pid` Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 32/58] ocfs2: fix data corruption by fallocate Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 33/58] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 34/58] x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 35/58] btrfs: mark ordered extent and inode with error if we fail to finish Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 36/58] btrfs: fix error handling in btrfs_del_csums Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 37/58] btrfs: return errors from btrfs_del_csums in cleanup_ref_head Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 38/58] btrfs: fixup error handling in fixup_inode_link_counts Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 39/58] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 40/58] bpf: fix test suite to enable all unpriv program types Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 41/58] bpf: test make sure to run unpriv test cases in test_verifier Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 42/58] selftests/bpf: Generalize dummy program types Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 43/58] bpf: Add BPF_F_ANY_ALIGNMENT Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 44/58] bpf: Adjust F_NEEDS_EFFICIENT_UNALIGNED_ACCESS handling in test_verifier.c Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 45/58] bpf: Make more use of any alignment " Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 46/58] bpf: Apply F_NEEDS_EFFICIENT_UNALIGNED_ACCESS to more ACCEPT test cases Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 47/58] selftests/bpf: add "any alignment" annotation for some tests Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 48/58] selftests/bpf: Avoid running unprivileged tests with alignment requirements Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 49/58] bnxt_en: Remove the setting of dev_port Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 50/58] perf/cgroups: Dont rotate events for cgroups unnecessarily Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 51/58] perf/core: Fix corner case in perf_rotate_context() Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 52/58] btrfs: fix unmountable seed device after fstrim Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 53/58] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 54/58] KVM: arm64: Fix debug register indexing Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 55/58] ACPI: probe ECDT before loading AML tables regardless of module-level code flag Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 56/58] ACPI: EC: Look for ECDT EC after calling acpi_load_tables() Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 57/58] sched/fair: Optimize select_idle_cpu Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.19 58/58] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
2021-06-08 18:45 ` [PATCH 4.19 00/58] 4.19.194-rc1 review Naresh Kamboju
2021-06-08 22:41   ` Pavel Machek
2021-06-09  6:25     ` Greg Kroah-Hartman
2021-06-10 11:40       ` Marek Vasut
2021-06-11  7:28         ` Greg Kroah-Hartman
2021-06-09  2:55 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210608175932.382250541@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=anant.thazhemadam@gmail.com \
    --cc=johannes.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com \
    --cc=zsm@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).