Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2034213imm; Thu, 24 May 2018 04:53:10 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpihWdDhuo73iGAtpBfj7IFMzibQw31H5LVGJfrwj5ttpb8DLMCyrJV+bxpWvSECUKGjNG/ X-Received: by 2002:a63:b248:: with SMTP id t8-v6mr5535818pgo.174.1527162790643; Thu, 24 May 2018 04:53:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527162790; cv=none; d=google.com; s=arc-20160816; b=mLg0NIBhqG3vghiwSat2XNFlH9Kl5yVHJRIPdlTNxcaKG7eoh+XgWAGorZUCfp/n2I ik1m1KRhsoxayaiWOJkbWvLVHafS7/XoZx+Z6UZBsGxD7M46urhJgbc6AmXplqUCZI3M 82xTA66tpmAZk6lmCO8JbR1bqDi127TIJFXf3rvBjHJEAIlnSOGZ7O1fm/z2xE7YLTAs Cjt2AXXa7FHfN3Y0GfIIoml8kTl4UiUEHC7tMegE2PaczSlDuYOrO7VD5r4PmGIeArNj MjuX2l4lpgQp/EijaOGxrL4pAs1FoBHQXlQbuI78wxRPAuxOOISJGKRXKGMo8U9LNUuu wdEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=dlm1bc7RDiPFpBPTedxUNx+hCPf1N2vzhSBjVkzWIIs=; b=F+MGjfxKreRB6SkQ/tS6KTpUTDaWujolJBQTs5quPDhriTkliu2SEQVgXEaucC0665 HFXNjo2PsFsgQpnMu9usdMo9efErgTfj9SqlLcCkQhPoz2HTs1NBzlk6hYjV24MiZHjC TbQbnyLtu+54T32pQxIBVJgpClTx09KwqzQ9guUd5qL2IgLWYpLUPtyNOtEgIIJqmivC +vwbFeO8s0kSsTcLsg+RLZYtx+Jn772ZV9PIp9qOcsv07PwRbnT3MOBYY5EtxsC6PiIy yOigacPuIZnGOshi2uWEIFskCmK1WkuZjNiNSW9aSuUARJHz6ZVe9bm4LMxT1k9lVZ6m 0Vbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JcW2viWy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d7-v6si21506335pfe.214.2018.05.24.04.52.55; Thu, 24 May 2018 04:53:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JcW2viWy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S969369AbeEXLwJ (ORCPT + 99 others); Thu, 24 May 2018 07:52:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:57948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966932AbeEXJqe (ORCPT ); Thu, 24 May 2018 05:46:34 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 899D6208D6; Thu, 24 May 2018 09:46:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155194; bh=/WX+t4rQ+FXnu0r09f07O+Xw0ilKBqFgAR6lDT7H6yQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JcW2viWyu7hnCW2KojHNSW/0426eHw7KSHh+LZiyWSiq/AHZ9q5xnBSpRi2iLPzjP /1Ie41ZqK8BJ6dITGL36I5+dYFOEqvd7acAJolZR2NpieHFf5PpXxnjmd6Q2cJGlQD uDWCKIRzNuLyQ13vBQb2pcQP2GBQ3SmLUhiFRA0c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.4 90/92] cfg80211: limit wiphy names to 128 bytes Date: Thu, 24 May 2018 11:39:07 +0200 Message-Id: <20180524093207.848496574@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093159.286472249@linuxfoundation.org> References: <20180524093159.286472249@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/nl80211.h | 2 ++ net/wireless/core.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -2195,6 +2195,8 @@ enum nl80211_attrs { #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS +#define NL80211_WIPHY_NAME_MAXLEN 128 + #define NL80211_MAX_SUPP_RATES 32 #define NL80211_MAX_SUPP_HT_RATES 77 #define NL80211_MAX_SUPP_REG_RULES 64 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -94,6 +94,9 @@ static int cfg80211_dev_check_name(struc ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {