This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
value of channel specifications provided by the device is greater than
the length of 'list->element[]', decided by the size of the 'list'
allocated with kzalloc(). The patch adds checks that make the functions
free the buffer and return -EINVAL if that is the case. Note that the
negative return is handled by the caller, brcmf_setup_wiphybands() or
brcmf_cfg80211_attach().
Found by a modified version of syzkaller.
Crash Report from brcmf_construct_chaninfo():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896
CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0.cold+0x93/0x334
kasan_report.cold+0x83/0xdf
brcmf_setup_wiphybands+0x1238/0x1430
brcmf_cfg80211_attach+0x2118/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
Allocated by task 1896:
kasan_save_stack+0x1b/0x40
__kasan_kmalloc+0x7c/0x90
kmem_cache_alloc_trace+0x19e/0x330
brcmf_setup_wiphybands+0x290/0x1430
brcmf_cfg80211_attach+0x2118/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888115f24000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff888115f24000, ffff888115f24800)
Memory state around the buggy address:
ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Crash Report from brcmf_enable_bw40_2g():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896
CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0.cold+0x93/0x334
kasan_report.cold+0x83/0xdf
brcmf_cfg80211_attach+0x3d11/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
Allocated by task 1896:
kasan_save_stack+0x1b/0x40
__kasan_kmalloc+0x7c/0x90
kmem_cache_alloc_trace+0x19e/0x330
brcmf_cfg80211_attach+0x3302/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888103787000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff888103787000, ffff888103787800)
Memory state around the buggy address:
ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Reported-by: Dokyung Song <[email protected]>
Reported-by: Jisoo Jang <[email protected]>
Reported-by: Minsuk Kang <[email protected]>
Reviewed-by: Arend van Spriel <[email protected]>
Signed-off-by: Minsuk Kang <[email protected]>
---
v1->v2: Added a macro BRCMF_MAX_CHANSPEC_LIST
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index ae9507dec74a..bff3128c2f26 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -101,6 +101,9 @@
#define BRCMF_ASSOC_PARAMS_FIXED_SIZE \
(sizeof(struct brcmf_assoc_params_le) - sizeof(u16))
+#define BRCMF_MAX_CHANSPEC_LIST \
+ (BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1)
+
struct brcmf_dump_survey {
u32 obss;
u32 ibss;
@@ -6840,6 +6843,13 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
band->channels[i].flags = IEEE80211_CHAN_DISABLED;
total = le32_to_cpu(list->count);
+ if (total > BRCMF_MAX_CHANSPEC_LIST) {
+ bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
+ total);
+ err = -EINVAL;
+ goto fail_pbuf;
+ }
+
for (i = 0; i < total; i++) {
ch.chspec = (u16)le32_to_cpu(list->element[i]);
cfg->d11inf.decchspec(&ch);
@@ -6985,6 +6995,13 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ];
list = (struct brcmf_chanspec_list *)pbuf;
num_chan = le32_to_cpu(list->count);
+ if (num_chan > BRCMF_MAX_CHANSPEC_LIST) {
+ bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
+ num_chan);
+ kfree(pbuf);
+ return -EINVAL;
+ }
+
for (i = 0; i < num_chan; i++) {
ch.chspec = (u16)le32_to_cpu(list->element[i]);
cfg->d11inf.decchspec(&ch);
--
2.25.1
Minsuk Kang <[email protected]> wrote:
> v1->v2: Added a macro BRCMF_MAX_CHANSPEC_LIST
>
> .../broadcom/brcm80211/brcmfmac/cfg80211.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index ae9507dec74a..bff3128c2f26 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -101,6 +101,9 @@
> #define BRCMF_ASSOC_PARAMS_FIXED_SIZE \
> (sizeof(struct brcmf_assoc_params_le) - sizeof(u16))
>
> +#define BRCMF_MAX_CHANSPEC_LIST \
> + (BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1)
> +
> struct brcmf_dump_survey {
> u32 obss;
> u32 ibss;
> @@ -6840,6 +6843,13 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
> band->channels[i].flags = IEEE80211_CHAN_DISABLED;
>
> total = le32_to_cpu(list->count);
> + if (total > BRCMF_MAX_CHANSPEC_LIST) {
> + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
> + total);
> + err = -EINVAL;
> + goto fail_pbuf;
> + }
> +
> for (i = 0; i < total; i++) {
> ch.chspec = (u16)le32_to_cpu(list->element[i]);
> cfg->d11inf.decchspec(&ch);
> @@ -6985,6 +6995,13 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
> band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ];
> list = (struct brcmf_chanspec_list *)pbuf;
> num_chan = le32_to_cpu(list->count);
> + if (num_chan > BRCMF_MAX_CHANSPEC_LIST) {
> + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
> + num_chan);
> + kfree(pbuf);
> + return -EINVAL;
> + }
> +
> for (i = 0; i < num_chan; i++) {
> ch.chspec = (u16)le32_to_cpu(list->element[i]);
> cfg->d11inf.decchspec(&ch);
I have incorporated your review in this patch.
Please let me know if any further changes are needed.
On 11/16/2022 3:29 PM, Minsuk Kang wrote:
> This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
> brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
> value of channel specifications provided by the device is greater than
> the length of 'list->element[]', decided by the size of the 'list'
> allocated with kzalloc(). The patch adds checks that make the functions
> free the buffer and return -EINVAL if that is the case. Note that the
> negative return is handled by the caller, brcmf_setup_wiphybands() or
> brcmf_cfg80211_attach().
>
> Found by a modified version of syzkaller.
>
> Crash Report from brcmf_construct_chaninfo():
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
> Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896
>
> CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> Workqueue: usb_hub_wq hub_event
[...]
> Reported-by: Dokyung Song <[email protected]>
> Reported-by: Jisoo Jang <[email protected]>
> Reported-by: Minsuk Kang <[email protected]>
> Reviewed-by: Arend van Spriel <[email protected]>
My earlier review comment is addressed so I am okay with the patch as is.
Regards,
Arend
Minsuk Kang <[email protected]> wrote:
> This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
> brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
> value of channel specifications provided by the device is greater than
> the length of 'list->element[]', decided by the size of the 'list'
> allocated with kzalloc(). The patch adds checks that make the functions
> free the buffer and return -EINVAL if that is the case. Note that the
> negative return is handled by the caller, brcmf_setup_wiphybands() or
> brcmf_cfg80211_attach().
>
> Found by a modified version of syzkaller.
>
> Crash Report from brcmf_construct_chaninfo():
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
> Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896
>
> CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> dump_stack_lvl+0x57/0x7d
> print_address_description.constprop.0.cold+0x93/0x334
> kasan_report.cold+0x83/0xdf
> brcmf_setup_wiphybands+0x1238/0x1430
> brcmf_cfg80211_attach+0x2118/0x3fd0
> brcmf_attach+0x389/0xd40
> brcmf_usb_probe+0x12de/0x1690
> usb_probe_interface+0x25f/0x710
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_set_configuration+0x984/0x1770
> usb_generic_driver_probe+0x69/0x90
> usb_probe_device+0x9c/0x220
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_new_device.cold+0x463/0xf66
> hub_event+0x10d5/0x3330
> process_one_work+0x873/0x13e0
> worker_thread+0x8b/0xd10
> kthread+0x379/0x450
> ret_from_fork+0x1f/0x30
>
> Allocated by task 1896:
> kasan_save_stack+0x1b/0x40
> __kasan_kmalloc+0x7c/0x90
> kmem_cache_alloc_trace+0x19e/0x330
> brcmf_setup_wiphybands+0x290/0x1430
> brcmf_cfg80211_attach+0x2118/0x3fd0
> brcmf_attach+0x389/0xd40
> brcmf_usb_probe+0x12de/0x1690
> usb_probe_interface+0x25f/0x710
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_set_configuration+0x984/0x1770
> usb_generic_driver_probe+0x69/0x90
> usb_probe_device+0x9c/0x220
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_new_device.cold+0x463/0xf66
> hub_event+0x10d5/0x3330
> process_one_work+0x873/0x13e0
> worker_thread+0x8b/0xd10
> kthread+0x379/0x450
> ret_from_fork+0x1f/0x30
>
> The buggy address belongs to the object at ffff888115f24000
> which belongs to the cache kmalloc-2k of size 2048
> The buggy address is located 1536 bytes inside of
> 2048-byte region [ffff888115f24000, ffff888115f24800)
>
> Memory state around the buggy address:
> ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
> Crash Report from brcmf_enable_bw40_2g():
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
> Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896
>
> CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> dump_stack_lvl+0x57/0x7d
> print_address_description.constprop.0.cold+0x93/0x334
> kasan_report.cold+0x83/0xdf
> brcmf_cfg80211_attach+0x3d11/0x3fd0
> brcmf_attach+0x389/0xd40
> brcmf_usb_probe+0x12de/0x1690
> usb_probe_interface+0x25f/0x710
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_set_configuration+0x984/0x1770
> usb_generic_driver_probe+0x69/0x90
> usb_probe_device+0x9c/0x220
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_new_device.cold+0x463/0xf66
> hub_event+0x10d5/0x3330
> process_one_work+0x873/0x13e0
> worker_thread+0x8b/0xd10
> kthread+0x379/0x450
> ret_from_fork+0x1f/0x30
>
> Allocated by task 1896:
> kasan_save_stack+0x1b/0x40
> __kasan_kmalloc+0x7c/0x90
> kmem_cache_alloc_trace+0x19e/0x330
> brcmf_cfg80211_attach+0x3302/0x3fd0
> brcmf_attach+0x389/0xd40
> brcmf_usb_probe+0x12de/0x1690
> usb_probe_interface+0x25f/0x710
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_set_configuration+0x984/0x1770
> usb_generic_driver_probe+0x69/0x90
> usb_probe_device+0x9c/0x220
> really_probe+0x1be/0xa90
> __driver_probe_device+0x2ab/0x460
> driver_probe_device+0x49/0x120
> __device_attach_driver+0x18a/0x250
> bus_for_each_drv+0x123/0x1a0
> __device_attach+0x207/0x330
> bus_probe_device+0x1a2/0x260
> device_add+0xa61/0x1ce0
> usb_new_device.cold+0x463/0xf66
> hub_event+0x10d5/0x3330
> process_one_work+0x873/0x13e0
> worker_thread+0x8b/0xd10
> kthread+0x379/0x450
> ret_from_fork+0x1f/0x30
>
> The buggy address belongs to the object at ffff888103787000
> which belongs to the cache kmalloc-2k of size 2048
> The buggy address is located 1536 bytes inside of
> 2048-byte region [ffff888103787000, ffff888103787800)
>
> Memory state around the buggy address:
> ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
> Reported-by: Dokyung Song <[email protected]>
> Reported-by: Jisoo Jang <[email protected]>
> Reported-by: Minsuk Kang <[email protected]>
> Reviewed-by: Arend van Spriel <[email protected]>
> Signed-off-by: Minsuk Kang <[email protected]>
Patch applied to wireless-next.git, thanks.
4920ab131b2d wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads
--
https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches