Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1946163imm; Thu, 24 May 2018 03:24:03 -0700 (PDT) X-Google-Smtp-Source: AB8JxZppMBZiaHckGAoQUe7cZzg6eQsR7ZX/1fTQNpGLo7RJn+mID8r6SjfWhj0JDI/DlJve1My4 X-Received: by 2002:a17:902:8345:: with SMTP id z5-v6mr6587247pln.311.1527157442958; Thu, 24 May 2018 03:24:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527157442; cv=none; d=google.com; s=arc-20160816; b=vvcLKChIs3fXTwoL+HBZPoPdc83yPink6qs7kcFsfxYJlA7cxTZhFPFygQPWRlOIYk PaMImhkvA703NXjfHo9w5KQY3obdBsxp91HFuT/qwyrecGnfyf9woAQHJH5mfYiW8+TO 0iXALddK815igciiDOy+33onkx4KZ+KHjftT9IAjvy/Ezpsc6aS+w3YkXCPuI61UuOsq as+9Y/UX1tHN51jsa9HKyCA3OyHVc6VQmotFMgW/oJEmZPRRDm6yF2Ll3sdijY1VluZB tTHtPgpwiXW7gqRuL+HFeMP4cGosA3g01jtYUIqsZGOmVPBtn2ou9++RsEgvFk8SHpm9 poZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=Y9cJAADyzhHXITBzM+Jts3OUezyd7Ifbysb90sYaOgY=; b=rsxq4prhd1llhCTbixmGwd3mgky5Q4L5enq58XhrIBFtxR5QzqxDZ2DznL/CmTR4bn WwLdmK4KlpAvkvhQ8NEnV7oBARZS4ufpGolKjqhAPsMND9huUB3J8shAPoTFZzZKTXX9 Ya4CoXaD6/MhkBTQdA1CeQPLam4yQQCbvXCyIxeco8k+KbBoLnYODhUxxVHiX7AgzZxe 9VrHTKMK5cyhSxfaKmxNyOXGk7lxj7Sw+lgbccDu9Kai+P4GRaXlyCd18WqvnruXAucX uEf+jiMxr+wwwO4KlepMuHqbTv4M5Hnclc2HOy7TfcpBAD6voFASmbRggjMqcPv/d9/k I0YQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nis+Oo83; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m11-v6si2255129pga.530.2018.05.24.03.23.48; Thu, 24 May 2018 03:24:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nis+Oo83; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031957AbeEXKXI (ORCPT + 99 others); Thu, 24 May 2018 06:23:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:50826 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030833AbeEXKCq (ORCPT ); Thu, 24 May 2018 06:02:46 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B0CAF20870; Thu, 24 May 2018 10:02:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527156166; bh=YOXmCWROUJ/kfohrAN7KRDXWZacCSfpunSgBaA2FMEM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Nis+Oo83hT8shKAri4avBzMsiJk5k2WluGkK2uypdjh9ZsKwvQ84FDbzUsVxBKn7L XQODC8LncJ48hB7UrDbJo+LECz4/5z3+X49H5MLAslzamFHSYzW7qY1LlZ8BaxCBbL 6YhnXh0CyFyoolNGJyuHDUgKzuI2hv7a21FuxU/A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.16 087/161] cfg80211: limit wiphy names to 128 bytes Date: Thu, 24 May 2018 11:38:32 +0200 Message-Id: <20180524093028.878554842@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093018.331893860@linuxfoundation.org> References: <20180524093018.331893860@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/nl80211.h | 2 ++ net/wireless/core.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -2618,6 +2618,8 @@ enum nl80211_attrs { #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS +#define NL80211_WIPHY_NAME_MAXLEN 128 + #define NL80211_MAX_SUPP_RATES 32 #define NL80211_MAX_SUPP_HT_RATES 77 #define NL80211_MAX_SUPP_REG_RULES 64 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struc ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {