kernel_samsung_a53x/net/wireless
Dmitry Antipov 26dc7df8fb wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ]

Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
following:

[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
<...skipped...>
[ T4985] Call Trace:
[ T4985]  <TASK>
[ T4985]  dump_stack_lvl+0x1c2/0x2a0
[ T4985]  ? __pfx_dump_stack_lvl+0x10/0x10
[ T4985]  ? __pfx__printk+0x10/0x10
[ T4985]  __ubsan_handle_out_of_bounds+0x127/0x150
[ T4985]  cfg80211_wext_siwscan+0x11a4/0x1260
<...the rest is not too useful...>

Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
(void *)&creq->channels[n_channels]', UBSAN treats the latter as
off-by-one error. Fix this by using pointer arithmetic rather than
an expression with explicit array indexing and use convenient
'struct_size()' to simplify the math here and in 'kzalloc()' above.

Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
[fix coding style for multi-line calculation]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:18 +01:00
..
certs
ap.c
chan.c
core.c
core.h
debugfs.c
debugfs.h
ethtool.c
ibss.c
Kconfig
lib80211.c
lib80211_crypt_ccmp.c
lib80211_crypt_tkip.c
lib80211_crypt_wep.c
Makefile
mesh.c
mlme.c
nl80211.c wifi: nl80211: don't give key data to userspace 2024-11-23 23:20:23 +01:00
nl80211.h
ocb.c
of.c
pmsr.c
radiotap.c
rdev-ops.h
reg.c
reg.h
scan.c wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() 2024-11-23 23:21:18 +01:00
sme.c
sysfs.c
sysfs.h
trace.c
trace.h
util.c
wext-compat.c
wext-compat.h
wext-core.c
wext-priv.c
wext-proc.c
wext-sme.c
wext-spy.c