![]() [ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ] Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the following: [ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25 [ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]' <...skipped...> [ T4985] Call Trace: [ T4985] <TASK> [ T4985] dump_stack_lvl+0x1c2/0x2a0 [ T4985] ? __pfx_dump_stack_lvl+0x10/0x10 [ T4985] ? __pfx__printk+0x10/0x10 [ T4985] __ubsan_handle_out_of_bounds+0x127/0x150 [ T4985] cfg80211_wext_siwscan+0x11a4/0x1260 <...the rest is not too useful...> Even if we do 'creq->n_channels = n_channels' before 'creq->ssids = (void *)&creq->channels[n_channels]', UBSAN treats the latter as off-by-one error. Fix this by using pointer arithmetic rather than an expression with explicit array indexing and use convenient 'struct_size()' to simplify the math here and in 'kzalloc()' above. Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru [fix coding style for multi-line calculation] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
---|---|---|
.. | ||
certs | ||
ap.c | ||
chan.c | ||
core.c | ||
core.h | ||
debugfs.c | ||
debugfs.h | ||
ethtool.c | ||
ibss.c | ||
Kconfig | ||
lib80211.c | ||
lib80211_crypt_ccmp.c | ||
lib80211_crypt_tkip.c | ||
lib80211_crypt_wep.c | ||
Makefile | ||
mesh.c | ||
mlme.c | ||
nl80211.c | ||
nl80211.h | ||
ocb.c | ||
of.c | ||
pmsr.c | ||
radiotap.c | ||
rdev-ops.h | ||
reg.c | ||
reg.h | ||
scan.c | ||
sme.c | ||
sysfs.c | ||
sysfs.h | ||
trace.c | ||
trace.h | ||
util.c | ||
wext-compat.c | ||
wext-compat.h | ||
wext-core.c | ||
wext-priv.c | ||
wext-proc.c | ||
wext-sme.c | ||
wext-spy.c |