Dmitry Antipov 26dc7df8fb wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() ... [ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ] Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the following: [ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25 [ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]' <...skipped...> [ T4985] Call Trace: [ T4985] <TASK> [ T4985] dump_stack_lvl+0x1c2/0x2a0 [ T4985] ? __pfx_dump_stack_lvl+0x10/0x10 [ T4985] ? __pfx__printk+0x10/0x10 [ T4985] __ubsan_handle_out_of_bounds+0x127/0x150 [ T4985] cfg80211_wext_siwscan+0x11a4/0x1260 <...the rest is not too useful...> Even if we do 'creq->n_channels = n_channels' before 'creq->ssids = (void *)&creq->channels[n_channels]', UBSAN treats the latter as off-by-one error. Fix this by using pointer arithmetic rather than an expression with explicit array indexing and use convenient 'struct_size()' to simplify the math here and in 'kzalloc()' above. Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru [fix coding style for multi-line calculation] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-11-23 23:21:18 +01:00
..
certs
ap.c
chan.c
core.c
core.h
debugfs.c
debugfs.h
ethtool.c
ibss.c
Kconfig
lib80211.c
lib80211_crypt_ccmp.c
lib80211_crypt_tkip.c
lib80211_crypt_wep.c
Makefile
mesh.c
mlme.c
nl80211.c	wifi: nl80211: don't give key data to userspace	2024-11-23 23:20:23 +01:00
nl80211.h
ocb.c
of.c
pmsr.c
radiotap.c
rdev-ops.h
reg.c
reg.h
scan.c	wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()	2024-11-23 23:21:18 +01:00
sme.c
sysfs.c
sysfs.h
trace.c
trace.h
util.c
wext-compat.c
wext-compat.h
wext-core.c
wext-priv.c
wext-proc.c
wext-sme.c
wext-spy.c