Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2029139imm; Thu, 24 May 2018 04:47:47 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqfqZDkKR+twVmstFLaV0ChG7XnruuK+SjpkvrzCSqXX6VfFzZDKtfV97N6UHxrTg8Bbfrj X-Received: by 2002:a17:902:b60a:: with SMTP id b10-v6mr6896588pls.221.1527162467651; Thu, 24 May 2018 04:47:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527162467; cv=none; d=google.com; s=arc-20160816; b=LG/N6oLxP8MHyaJK1ps/Kx08q/HzGIL6T1QeOSfbXME595MrZz4V9b1BcwzNXylfPv eilBVl9D8/lm9eQF2kY0oVONdHo0soQ2mT4ln2GI3iPBCVBGCao95wyH4WmDqJdNDXVW jkowgYflBt7DZiMkMa4JRLdd7F9lxQA5BUIFM8n7bzEoaLHNO6ZpDqfhqhWOSWiG9GpO Cjc7/HD8FeKaiWo9Fb6corAr53FD5VMDSyXEWLsyhLBgTe62pBqglq2BZTXM50iXJbZQ mkH/P0gaWGu0xiZbB8oiy0HOTGe4W0FQAbkrWXo/PBbUbtKo/mZJowufKvw+7pqUf896 e3cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=7FeMTOkCB703Nfx6tQ6huhjSmJSWd4BhcKPVO1IXlx8=; b=mSdcK7DmovUhRpJnRzyBB7o++qbc0Y39ldN/Iz4pUQWZ4X0WTiJSoHw1rtl3/a/OPj I+hmLXweGg6IwhRuMR5kHcrCkwu7/YdyaVPX11lhJW+Ri2mr2k2TlKd2/PH0lmACTLIX L6Bd122J/zrcp84lcZ9q2io81jq8xxeXv7t7iqwaR3v0xCWwlq0yUlq7DEp0Frw3Wg5v K1r9eyNMQdbak2rFIn1gB14pfJLtgWxVRF8CeToTigTu/Q4QLFKQXaVQqg9ho6eDmD7z nk6FeQRXR37kMv8smQiCw1VmU6Y5XNuIjimxUb0/VHXPCQTBRAogqLOR6qFJVE5tD4ne Vp/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N/GiUzre; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9-v6si16546990pgt.625.2018.05.24.04.47.32; Thu, 24 May 2018 04:47:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N/GiUzre; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967122AbeEXJrv (ORCPT + 99 others); Thu, 24 May 2018 05:47:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:60456 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967084AbeEXJrm (ORCPT ); Thu, 24 May 2018 05:47:42 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0528B208DE; Thu, 24 May 2018 09:47:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155261; bh=wkUjQHwr2VKNP+AS0kotmcB3LxCMUxsTwEb1ndrQuS8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N/GiUzreWNP7QJ7HqJvmxQsx3WkehbsWFZ3rpOXYcG2iunwg3B2oMp4OQj2Leui3M nEs46XNKFtYLZS/ucVeZc/F+swGkuLOKe10RKCpoxO3EX4FoHhGZ4e5HnEuVMs3w+3 PuazlS8qO0xmdP31fpdIG+E60gSJeYy9xSgPRtos= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.9 21/96] cfg80211: limit wiphy names to 128 bytes Date: Thu, 24 May 2018 11:38:04 +0200 Message-Id: <20180524093606.821735070@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093605.602125311@linuxfoundation.org> References: <20180524093605.602125311@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/nl80211.h | 2 ++ net/wireless/core.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -2379,6 +2379,8 @@ enum nl80211_attrs { #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS +#define NL80211_WIPHY_NAME_MAXLEN 128 + #define NL80211_MAX_SUPP_RATES 32 #define NL80211_MAX_SUPP_HT_RATES 77 #define NL80211_MAX_SUPP_REG_RULES 64 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struc ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {