mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/net/wireless
History
Soenke Huster 8c0427842a wifi: mac80211_hwsim: check length for virtio packets 
An invalid packet with a length shorter than the specified length in the
netlink header can lead to use-after-frees and slab-out-of-bounds in the
processing of the netlink attributes, such as the following:

  BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010
  Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12

  Workqueue: events hwsim_virtio_rx_work
  Call Trace:
   <TASK>
   dump_stack_lvl+0x45/0x5d
   print_report.cold+0x5e/0x5e5
   kasan_report+0xb1/0x1c0
   __nla_validate_parse+0x1258/0x2010
   __nla_parse+0x22/0x30
   hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0
   hwsim_virtio_rx_work+0x1b2/0x370
   process_one_work+0x8df/0x1530
   worker_thread+0x575/0x11a0
   kthread+0x29d/0x340
   ret_from_fork+0x22/0x30
 </TASK>

Discarding packets with an invalid length solves this.
Therefore, skb->len must be set at reception.

Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6
Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 		2022-09-03 16:40:06 +02:00
..
admtek wifi: mac80211: split bss_info_changed method 2022-06-20 12:55:09 +02:00
ath Tracing updates for 5.20 / 6.0 2022-08-05 09:41:12 -07:00
atmel wifi: atmel: fix repeated words in comments 2022-07-18 15:06:59 +03:00
broadcom Tracing updates for 5.20 / 6.0 2022-08-05 09:41:12 -07:00
cisco
intel wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() 2022-08-30 19:37:47 +03:00
intersil wifi: p54: add missing parentheses in p54_flush() 2022-07-18 14:54:50 +03:00
marvell SPDX changes for 6.0-rc1 2022-08-04 12:12:54 -07:00
mediatek wifi: mt76: mt7921e: fix crash in chip reset fail 2022-08-26 13:14:22 +02:00
microchip wifi: wilc1000: fix DMA on stack objects 2022-08-30 19:36:29 +03:00
purelifi wifi: plfxlc: Use eth_zero_addr() to assign zero address 2022-07-27 16:01:16 +03:00
quantenna wifi: qtnfmac: fix repeated words in comments 2022-07-18 15:09:03 +03:00
ralink wifi: rt2x00: fix repeated words in comments 2022-07-18 15:10:52 +03:00
realtek wifi: rtw88: check the return value of alloc_workqueue() 2022-07-29 16:35:53 +03:00
rsi wifi: rsi: fix repeated words in comments 2022-07-18 15:11:53 +03:00
silabs wifi: mac80211: replace link_id with link_conf in switch/(un)assign_vif_chanctx() 2022-07-15 11:43:20 +02:00
st wifi: mac80211: change QoS settings API to take link into account 2022-07-15 11:43:15 +02:00
ti wifi: wl12xx: Drop if with an always false condition 2022-07-27 15:51:53 +03:00
zydas wifi: mac80211: return a beacon for a specific link 2022-06-20 12:57:08 +02:00
Kconfig
Makefile
mac80211_hwsim.c wifi: mac80211_hwsim: check length for virtio packets 2022-09-03 16:40:06 +02:00
mac80211_hwsim.h wifi: mac80211_hwsim: support creating MLO-capable radios 2022-06-20 12:57:09 +02:00
ray_cs.c wifi: ray_cs: Drop useless status variable in parse_addr() 2022-06-08 11:08:34 +03:00
ray_cs.h
rayctl.h
rndis_wlan.c cfg80211: Indicate MLO connection info in connect and roam callbacks 2022-06-20 12:57:09 +02:00
virt_wifi.c wifi: virt_wifi: fix typo in comment 2022-06-10 15:35:49 +02:00
wl3501.h
wl3501_cs.c