Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp68373pxj; Thu, 20 May 2021 04:46:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5U+yIEDinTnmR7kAkF77rMvfPeKLQ9JYO1mkN9ZoCDShsjhhkFZs5BySzq6cdPwKKcw8h X-Received: by 2002:a17:906:b74f:: with SMTP id fx15mr4287739ejb.85.1621511163679; Thu, 20 May 2021 04:46:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621511163; cv=none; d=google.com; s=arc-20160816; b=rR45FnFE0xNj/YPPG6XzgcEpnLm0jm2ldbK/xBR9xyIw4/m31hvw3tsYxga3Vm4kcB U7ZUCcsI3QURH1CSoxhxGtosmAJ362aOYmUzOFYy6+K/re0PNUovUlmJtG3l5/5MAK0P 7SVJVXHfZsJgP/FHDfJuVPsOyuIl1fz5sVsavfQH9GaGe/Jhd729QIj5ufHHbeVVlFMF uruaK+ZKO16cXn+T4k/KxNUWrJZ2sfL8PwY9F0ojo95o5Wo3PxF3F6CC68MwaMwN2+p8 VsXKk4AWZS+9KFkm159it4IzO8RlMakj3Gnn3GF+M6hQh9flpfnyOSN34kmrfnO5G0bK Q7mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F9Lcf9Eo4kQBASh8+CD/LFHHpHpxctWFN0mAusJW+FU=; b=0u05P3dJY9YjewLBRuujueRy4HmuP3DJW4+cinm2kL7enFYbzRuDXioRONgqXz9Rqi 0HVx8R2OZ02Zaoi2I5DL3MAvpgR6s1ErABRSH47SnAoDlXx7Itlw4+4pSbK5379flWBK ETmPSnw+f52r+EYsCoxgSXXLR4kzzFFdFwQpokjIOraPNUzsXr2DndLDd6BfPUnIsjAm 6sYTkC71uobAATlGaX2pu9EpufL41dtqooMXfCR8qm+/IkEQnwStypizMNjSvZhcPdmi 0apzLrMR4GRYJKuDFQE8BcLXEfegxMLcpELx/NJ/wgdNlHbhhP/NbU1KIJ+ECmLb61c1 JCpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Mo9sqJXp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a15si208968edr.48.2021.05.20.04.45.40; Thu, 20 May 2021 04:46:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Mo9sqJXp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241580AbhETLmB (ORCPT + 99 others); Thu, 20 May 2021 07:42:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:43922 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240038AbhETLVB (ORCPT ); Thu, 20 May 2021 07:21:01 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0C56E61D87; Thu, 20 May 2021 10:11:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505476; bh=kRysvE576UO0im/oV+nYet7/XjF87dx2Nz2m9sGIrF4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Mo9sqJXpmL6qpEAaBXAqh3Y5AN9gKFjtVHu9wXowYlg3J/0XyW8YwWebOx2+g36DH 6ryNPx0QRHT+ODXstslxZ6MaNiyJuCG1AY0TTE5LutyV9gCdaVxuGHjsGbj2tCAhdd 7B1exeWoz0ahX8mglHrikZQjzYvCbW3y+t1Z2eZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg , Sasha Levin Subject: [PATCH 4.4 118/190] mac80211: bail out if cipher schemes are invalid Date: Thu, 20 May 2021 11:23:02 +0200 Message-Id: <20210520092106.110795698@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092102.149300807@linuxfoundation.org> References: <20210520092102.149300807@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 2357b17254e7..871931577ef4 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1019,8 +1019,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) if (local->hw.wiphy->max_scan_ie_len) local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len; - WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, - local->hw.n_cipher_schemes)); + if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, + local->hw.n_cipher_schemes))) { + result = -EINVAL; + goto fail_workqueue; + } result = ieee80211_init_cipher_suites(local); if (result < 0) -- 2.30.2