2023-10-04 14:39:08

by Igor Artemiev

[permalink] [raw]
Subject: [lvc-project] [PATCH] wifi: mac80211: fix buffer overflow in ieee80211_rx_get_bigtk()

If 'idx' is 0, then 'idx2' is -1, and arrays
will be accessed by a negative index.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Igor Artemiev <[email protected]>
---
net/mac80211/rx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e751cda5eef6..e686380434bd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1868,10 +1868,13 @@ ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
key = rcu_dereference(rx->link_sta->gtk[idx]);
if (!key)
key = rcu_dereference(rx->link->gtk[idx]);
- if (!key && rx->link_sta)
- key = rcu_dereference(rx->link_sta->gtk[idx2]);
- if (!key)
- key = rcu_dereference(rx->link->gtk[idx2]);
+
+ if (idx2 >= 0) {
+ if (!key && rx->link_sta)
+ key = rcu_dereference(rx->link_sta->gtk[idx2]);
+ if (!key)
+ key = rcu_dereference(rx->link->gtk[idx2]);
+ }

return key;
}
--
2.30.2


2023-10-05 14:32:40

by Igor Artemiev

[permalink] [raw]
Subject: Re: [lvc-project] [PATCH] wifi: mac80211: fix buffer overflow in ieee80211_rx_get_bigtk()


On 10/4/23 17:58, Johannes Berg wrote:
> And ... how exactly do you propose that is going to happen?

'conf.keyidx', the value that is passed to the function, can be 0. But I
missed checking the second argument of the ieee80211_rx_get_bigtk()
function before calling it. Sorry to bother you.

Thanks,
Igor