Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4626169pxj; Wed, 12 May 2021 09:31:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzS0JcqqONcAOOoJmhqmdl4F+k09AWLjH/BVI9Y69NlO3rjMqpLcsQ3P3xerF7dSTBaor4F X-Received: by 2002:a17:906:f742:: with SMTP id jp2mr39527587ejb.199.1620837074361; Wed, 12 May 2021 09:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620837074; cv=none; d=google.com; s=arc-20160816; b=IpkgF7Zef820L3AazwpUsyeLtviM8mLq576GaX/lAaYMfWIUFw0YkupOYA2trfnfub HuYOLsABUbr6kofetXSIYSxZibnx57sJyZklakLFSLqMEiuK446SlYyK7GJfsbIQEk6Q MlTvKB2x1qlSzLuuCjrFFdZCPrCNtNpaB2iXXOEWDhCzjYrITW4mSAuy3N4/Iq9SJZ5F qV8Y0lCU23qzIrxZkSpG3z1T+TdF3j2Qs+NOh3NN1ndPTsz6c5XjQz1+4SAwKcvJk0Ha K+K+F+0lqxVBVQcGv2SuOn1RqoWo4McjIqxzM8DPNKGiH4fneICSLVrR8F09qQvF1R+v gJZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G0Sm/6SX0LtJnu4wC224CJJZvw6WOX+tDeRZzLzJ/QA=; b=ftoyL+rPo8xah5ch3/Ze+K6MoVT7YN02iKmJH7d9u4xFND7eOgPmEI/Id0Gdvq5oFI A7N+YT9OuHpvsUm9Tui+7JN60rDKq5RD7s9NY3fsWVGTe4KMl/dcK7wPi3mXvSFQI6nf F3GlDt9907bWq4Ec+nK5XmC0IaTbKxaPYEpLTSw4o6+VxkQWQachhI7i6qdKtav1V3LI Uzoc4pxorTRb+THJ73KR0U9hQYtgNsDuA5+5IYu6B610t3wrMJHdRiUfffyKI98V4vOJ nvXz/La1sptaTsuFYwtGo9s7PjVu8+bNqPUopWxVGYP5yCxpvHGgAd05fWu8ZiBWVH88 l5cQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dLlr5NdQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b15si202937edd.87.2021.05.12.09.30.49; Wed, 12 May 2021 09:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dLlr5NdQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231656AbhELQ2b (ORCPT + 99 others); Wed, 12 May 2021 12:28:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:57176 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233732AbhELPi6 (ORCPT ); Wed, 12 May 2021 11:38:58 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9F57561C81; Wed, 12 May 2021 15:20:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620832832; bh=i1GITWefu5AZkHXvqiSv7jinLv2m4Q+jXA23f09lPxc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dLlr5NdQYnzHHfJYY3kShbB+xSAbeI2pmKQiaKMGELTOppT1lpM5jw1FUaYV5TWNz 27eDqBbjgyRkXa8owoHaWqQkZAErrYbrkvNvJoWM4y+NbxnzABZ8x3Pf9fkh+GxNQ1 L4hWHbip1c3Od8KcQfhIb5asj19w4QOU8ccoE22M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg , Sasha Levin Subject: [PATCH 5.10 407/530] mac80211: bail out if cipher schemes are invalid Date: Wed, 12 May 2021 16:48:37 +0200 Message-Id: <20210512144833.139665868@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144819.664462530@linuxfoundation.org> References: <20210512144819.664462530@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 19c093bb3876..73893025922f 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1150,8 +1150,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) if (local->hw.wiphy->max_scan_ie_len) local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len; - WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, - local->hw.n_cipher_schemes)); + if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, + local->hw.n_cipher_schemes))) { + result = -EINVAL; + goto fail_workqueue; + } result = ieee80211_init_cipher_suites(local); if (result < 0) -- 2.30.2