Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1757117pxb;
        Sat, 2 Apr 2022 02:17:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwuXRPDKj6CJP3AycIc0wKQmovvDHULhXaro7QW/7COE7oUETWshP+zCqlbDhO8Qh/03WgK
X-Received: by 2002:a17:907:3d87:b0:6e0:bef:c3cb with SMTP id he7-20020a1709073d8700b006e00befc3cbmr3117123ejc.503.1648891031122;
        Sat, 02 Apr 2022 02:17:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648891031; cv=none;
        d=google.com; s=arc-20160816;
        b=t0AQvA+i809JoPpJBndimNSDKiURM8/1tcypWL8giXQTBnwKUJdvKOmmbcjiFyIB/L
         p9Fp4Nwsr+CdidI1ui4vbpOVuWB1cKmWkBwdYuLbxGVmBUNlOJwmf6j8I07aYL6wt9Yi
         yULyKDbIvw2B1ScQivuxU261H9cmKe3rK/HLihlpoVrn5keQlLDR7f0KbSaXwVFeCRaT
         isbO/32Ikqnp4Sb3Pf/jxhao/G+LI/ttPhmScy+ileaZ3cggxAaohp6ihCUO+f2x3InJ
         CXqWro3/SWR1E3QZBb2jGPj2H9K/I3bRu9cHW3IhDRJ6tq35W94z4sU2//I5j+m9ilUv
         2EwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=dE+eYbTlRphRYMzrizvUuQiOeaDFtpljQ+qdtyoyovA=;
        b=NS1XjdiTQ+PG0lxgTpq9xc/HZxEi0r2FVQzKeDoriz6EUn9Hnd4xHlO8rRkl10dSfF
         m2nKmgRrWqHcRdSQabrKtDLbAUh102psS+p8KUfHzEVPW3NV5NYT22enOPs9dkgg0BEC
         xRcKYsZbQvzlri8pqq5ey2254gV2CbPhQEHaKaSkjO8rz8ChMJXmLyAo/fve3vUDXfse
         xL9faVdV4UzmyVH+ajsr+jko/09/goc4eR0v77hDCfN7WDpVni+F57JPQtgTodEuiCQU
         DlHMZqrCXxYPciIsZk5p6RdEFODzljN7m+Eq2VWm6+YD0pOWabIevkQflAfr3y7/x7kl
         4mRw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=Ht9zSv45;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j19-20020a170906535300b006df76385e13si3062384ejo.691.2022.04.02.02.16.46;
        Sat, 02 Apr 2022 02:17:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=Ht9zSv45;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351249AbiDAShe (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Fri, 1 Apr 2022 14:37:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52180 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231605AbiDAShd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Apr 2022 14:37:33 -0400
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB7841B8FC2;
        Fri,  1 Apr 2022 11:35:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim;
  t=1648838143; x=1680374143;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=dE+eYbTlRphRYMzrizvUuQiOeaDFtpljQ+qdtyoyovA=;
  b=Ht9zSv45O6vA+B2AVgriwFwRtGgWB4GDon1mCGFn5irdM/8BLNa+fjqd
   JFnFXW0hRnq/qp5aROsF0jzW0dgFJczdfHVWEIEGWmfHk/l6X1J9diMIY
   EAxGQbIjAVo4XD0JoGE6VXzj7Y51GjleArI+jXZkrQ1U9LAadphCxAM3C
   g=;
Received: from unknown (HELO ironmsg04-sd.qualcomm.com) ([10.53.140.144])
  by alexa-out-sd-01.qualcomm.com with ESMTP; 01 Apr 2022 11:35:42 -0700
X-QCInternal: smtphost
Received: from nasanex01c.na.qualcomm.com ([10.47.97.222])
  by ironmsg04-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Apr 2022 11:35:30 -0700
Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by
 nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.22; Fri, 1 Apr 2022 11:35:29 -0700
Received: from [10.110.67.71] (10.80.80.8) by nalasex01a.na.qualcomm.com
 (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Fri, 1 Apr 2022
 11:35:29 -0700
Message-ID: <25b13a66-ab99-8ec8-847a-450827f6163b@quicinc.com>
Date:   Fri, 1 Apr 2022 11:35:28 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Subject: Re: [PATCH 1/1] nl80211: Prevent out-of-bounds read when processing
 NL80211_ATTR_REG_ALPHA2
Content-Language: en-US
To:     Lee Jones <lee.jones@linaro.org>
CC:     <linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>,
        Johannes Berg <johannes@sipsolutions.net>,
        "David S. Miller" <davem@davemloft.net>,
        "Jakub Kicinski" <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        <linux-wireless@vger.kernel.org>, <netdev@vger.kernel.org>
References: <20220401105046.1952815-1-lee.jones@linaro.org>
From:   Jeff Johnson <quic_jjohnson@quicinc.com>
In-Reply-To: <20220401105046.1952815-1-lee.jones@linaro.org>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/1/2022 3:50 AM, Lee Jones wrote:
> Checks are presently in place in validate_nla() to ensure strings
> greater than 2 are not passed in by the user which could potentially
> cause issues.
> 
> However, there is nothing to prevent userspace from only providing a
> single (1) Byte as the data length parameter via nla_put().  If this
> were to happen, it would cause an OOB read in regulatory_hint_user(),
> since it makes assumptions that alpha2[0] and alpha2[1] will always be
> accessible.
> 
> Add an additional check, to ensure enough data has been allocated to
> hold both Bytes.
> 
> Cc: <stable@vger.kernel.org>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
>   net/wireless/nl80211.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index ee1c2b6b69711..80a516033db36 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -7536,6 +7536,10 @@ static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
>   		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
>   			return -EINVAL;
>   
> +		if (nla_len(info->attrs[NL80211_ATTR_REG_ALPHA2]) !=
> +		    nl80211_policy[NL80211_ATTR_REG_ALPHA2].len)
> +			return -EINVAL;
> +
>   		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
>   		return regulatory_hint_user(data, user_reg_hint_type);
>   	case NL80211_USER_REG_HINT_INDOOR:

LGTM

doesn't nl80211_set_reg() also have this issue?
	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
[...]
	rd->alpha2[0] = alpha2[0];
	rd->alpha2[1] = alpha2[1];