Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp557194pxj; Thu, 20 May 2021 16:10:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwGJW+mTNTusbHtM/nPaMYgoDsX4AA1OQeDg6ZUfMcDgPLhYGoGcwgkXP+x2LqBsjw08jRM X-Received: by 2002:a17:906:1701:: with SMTP id c1mr6967451eje.425.1621552202999; Thu, 20 May 2021 16:10:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621552202; cv=none; d=google.com; s=arc-20160816; b=wlHHJDrUjMh4xPjHJGpocmPiWfmiNEPbTr2Z1UhltKK5rQ4qsgGrAxo2Unb6eJHlPo SHm+YqJWOUX1Hddr6LS4Bb9tKZORvj6MNYMIiksw6b2z4uv5P0EisYhsiZyJu06zuJtq rfylEz7OmTLRr8ET2/LJs8C5UrjLLaZvsJJX6SnfNmXVAsCbhO7Nck2Zy0SxA97/w3G8 C1wllA9oDXP/Olb/iF9pLfpUCuxEun2AKpMtS4tFMS8cO0ipi3eA3oAOxZBXfGM+u7Hy YzWpKt0ItM3LQ7wuoXrfy9S4tYmw9S6Iz5iL37JWP+Sb0HUP4ovXZzUNz+x1Jb9jtRMl 2XEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=d6j3VjOWVOu4v/ijQANn5ADeGtSb7t+uYJm2KDFXO4U=; b=qIjnb6ganiERQAGuh/jEmyYmcNTJB/6xsHoWdOjEr4zh8Uqcbj4ipL3asmHJTsoD3i 28O10ipwVcg3ebUmrrBHmmfQvbpkGp0OFt29uKaSkQeA8fj5I9BWKv+eCsKoTrCRF5lu t0ZxvzPUP5GddH/4U1F64dC57FzpAGkvBFPjOG2lC38xnizQC2I5mAi5o42S7QXO3DIm KxF2sptktZNbTFyoyVdt6VZHoLOz50GAb8hm0VReuXPGd/Un8PJKa5fVW8vLL8tAnLb3 s1p0PMQTQv6DMhy2LUpnkl7SaeNYkwQ6YjRw0yOLUPtxz8T8oK66RtcRqGLsJgPl+7l7 m3uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QFoTRS8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d24si3165395edv.171.2021.05.20.16.09.39; Thu, 20 May 2021 16:10:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QFoTRS8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240554AbhETLUq (ORCPT + 99 others); Thu, 20 May 2021 07:20:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:57500 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237692AbhETLAc (ORCPT ); Thu, 20 May 2021 07:00:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0F3E461D09; Thu, 20 May 2021 10:03:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505007; bh=3/ql1dbxwbS6CZC1q+MvDU85jnr4I8P/z1eQDhHQrC4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QFoTRS8QU364zqJQ+vJjcYcyOuVSE0Q++dpndqJMuLTtxqZSbQ75rPHP9BzVV2VEJ DLzhcenfilYGkUj5IoZL+LATkLTvvaILzvij5jYYfVk2nDsnWVcfTkBu0Dy0vxTUuQ HptyJstg0fRBANGzh7HoiyUIWXVsxfccIw+L+TZA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg , Sasha Levin Subject: [PATCH 4.9 147/240] mac80211: bail out if cipher schemes are invalid Date: Thu, 20 May 2021 11:22:19 +0200 Message-Id: <20210520092113.591342911@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092108.587553970@linuxfoundation.org> References: <20210520092108.587553970@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index f31fd21d59ba..5f8c6f9563b0 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1036,8 +1036,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) if (local->hw.wiphy->max_scan_ie_len) local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len; - WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, - local->hw.n_cipher_schemes)); + if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, + local->hw.n_cipher_schemes))) { + result = -EINVAL; + goto fail_workqueue; + } result = ieee80211_init_cipher_suites(local); if (result < 0) -- 2.30.2