Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1999637imm; Thu, 24 May 2018 04:17:10 -0700 (PDT) X-Google-Smtp-Source: AB8JxZooIa41doINVnNXBteS6PXMiaJbDjwX7YynUzKgcXJvYUOeWoVVsVTFzuNuQARmrnq2poyw X-Received: by 2002:a17:902:2702:: with SMTP id c2-v6mr6814463plb.297.1527160630116; Thu, 24 May 2018 04:17:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527160630; cv=none; d=google.com; s=arc-20160816; b=vxJHQBOcRaxLt0hCEbPmO7RHjcMP9Y6uJKfNeeRsip3UGNPFDVGh/l4EoNrAChbbs5 lXeuxbUzJc8jtY4tarxS0AJ+QSVylL3gsW8GnhtCU3T1IVcPOZCiln3l69hmq+7WAbZA FA6rlmcqAg7QhKG9E7QAsneo477PQ5SSD9N/mtmlvPhzo7QMFKrJzrKg21ioTroRKflm wSgDc1zqjd5DBmIvqzp1AUvWp8sWc6rEdVNkHpXio237ssqBZqNBbmNu8kL7ojDPOpuF fLs/DVALGsxN7PLaoafv7BZA/4krRL5qu3xi/z9WciywTi2XmuVcAYbP76q6OTHWBJQs gXyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=QWqU9g+aevjRoEzVBnpuhLm4Jajndpt99nLVm8ljuuU=; b=glPyzLEcbEdafa/UTNwgdomTCiiLri+HWBnc304edrDBb56zWCjlelDZO9YQHqvxFX s5QQl/AfyyZsB3HPIVqYJaSBa1HM08lFK4V70mJESH5WNR6VJebcnF0V2P+PAxRnXxpz 8bOQTcUAyq95M3XpxIqA2lsTtDC9pKjqcVqjM/C6jVccP6BpOWbF1JJmN2gRubWGEOch aNuC6yLe/dOS3hSkIFawnYpYP01ty9UpRDboGUo4iyHjIE/+g+937II0OZ0EhZp2lC/w Xk0PwAlSVRk0TdrUEimr5Ul1xdzZMQxuvT4mNOQJuvrsLaw63pWTRZ1d5LSk6oHjBhjT 47tg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SQrhnUiK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z73-v6si490073pgd.122.2018.05.24.04.16.55; Thu, 24 May 2018 04:17:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SQrhnUiK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S968053AbeEXJxe (ORCPT + 99 others); Thu, 24 May 2018 05:53:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:59494 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968037AbeEXJx1 (ORCPT ); Thu, 24 May 2018 05:53:27 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 14E162089F; Thu, 24 May 2018 09:53:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155606; bh=/IlMMQfyhnjhgBkfk+96k0/UkTU4lfyrCe1fPFKIUxg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SQrhnUiKmQPVF47wdsIUSWIsKkfSRRQ37Zm0iRyB05IqLoQvf4zlXpkOW6jO5HlVq jOoy70ZlxEoin8vqiJBtxGInMHMd9j56KGLXeJEsDqHh4Rf+LV+hhPmBUxujejDGWs 1nmiyeea0Q4gJxby2Hi1biDWU/RZsgSrl+tAQM9k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.14 051/165] cfg80211: limit wiphy names to 128 bytes Date: Thu, 24 May 2018 11:37:37 +0200 Message-Id: <20180524093624.091129328@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093621.979359379@linuxfoundation.org> References: <20180524093621.979359379@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/nl80211.h | 2 ++ net/wireless/core.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -2604,6 +2604,8 @@ enum nl80211_attrs { #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS +#define NL80211_WIPHY_NAME_MAXLEN 128 + #define NL80211_MAX_SUPP_RATES 32 #define NL80211_MAX_SUPP_HT_RATES 77 #define NL80211_MAX_SUPP_REG_RULES 64 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struc ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {