Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4324911pxu;
        Tue, 1 Dec 2020 02:03:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwh/VH+p+32s310ao4If4i21TZLr5ahZpVAP09cvtvJaSyAuqExZC+bHLNQhu+gYiEUcS0b
X-Received: by 2002:a50:fc8b:: with SMTP id f11mr2192335edq.11.1606817023772;
        Tue, 01 Dec 2020 02:03:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606817023; cv=none;
        d=google.com; s=arc-20160816;
        b=dHFik+iDyYL5CVQn3p8uaisC1OXV3GRAEL/DgrUOn0v/iKQgQWZvXjox+RgZQDzTbx
         2KPKefEHqsbH+JV0wKc/n1yoYvWLczcDstZmxAUqrZ4i1f8YfGD7XmMxPX3b8ous4Lb0
         0QQ3nOJEb95v13swfOBr07s1bc8k/gUJNULEnJUpQ/UV+lC0kSXKT2Ia0KUdHcTYDzRD
         qO6YwQphkbpXAGSp+aiIRTmog+MqQjcrqak4/jeSfANE+HOXr3QYq0wm7L2UeHepjC9s
         p0Hk6ZuzkSIffT2PKWmNGykxTv5ZETZ3129y+JU64Gb8ef+dYvwrmQZBAaoRnFkI2BxM
         r1Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=fQWIHvSzrzq+lHbrLAlqDeo4lOBTpIrUCdQziDOypxY=;
        b=U5m3b5QZWHHYsQM/4UxPcelIl/gM5n3PGkPCNBSW6oqF85Z/JNST2c5wQMXQ0thzRa
         LnY4L+7Hnj3EYJPkXtc/v14eXa8pYT0ynKawyIVuB8Pq0jdMWPs3p6XgtD2XhLuHT0j3
         EYIbMJQLWRXZBcNuRF5SSXeQEhuaW+R8AK/KYsIHpp2sYwA0QB6hnOmsuXL77xRiKg7O
         zDnmf4/fd0HGntRsmz/TJEAhsew3TUnI3JwNVev0rrO6z9WKU7V7SfZP4scaW1THMJ/W
         3MOHRBj5OP85UwL1WjRYqxIP7NkabAhKeSZdKXNwnMAmUIyz20dFw1O2t+T67BN6Roqx
         GFZw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b41si837375edf.342.2020.12.01.02.03.20;
        Tue, 01 Dec 2020 02:03:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391073AbgLAKBt (ORCPT <rfc822;bvodkinen@gmail.com> + 99 others);
        Tue, 1 Dec 2020 05:01:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60164 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388122AbgLAKBt (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 1 Dec 2020 05:01:49 -0500
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55E18C0613CF;
        Tue,  1 Dec 2020 02:01:09 -0800 (PST)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94)
        (envelope-from <johannes@sipsolutions.net>)
        id 1kk2Sy-000RHc-KT; Tue, 01 Dec 2020 11:01:00 +0100
Message-ID: <3025db173074d4dfbc323e91d3586f0e36426cf0.camel@sipsolutions.net>
Subject: Re: [PATCH] net: mac80211: cfg: enforce sanity checks for key_index
 in ieee80211_del_key()
From:   Johannes Berg <johannes@sipsolutions.net>
To:     Anant Thazhemadam <anant.thazhemadam@gmail.com>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>
Cc:     linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Date:   Tue, 01 Dec 2020 11:00:37 +0100
In-Reply-To: <20201201095639.63936-1-anant.thazhemadam@gmail.com> (sfid-20201201_105711_390361_13D95CBF)
References: <20201201095639.63936-1-anant.thazhemadam@gmail.com>
         (sfid-20201201_105711_390361_13D95CBF)
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5 (3.36.5-1.fc32) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-malware-bazaar: not-scanned
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Tue, 2020-12-01 at 15:26 +0530, Anant Thazhemadam wrote:
> Currently, it is assumed that key_idx values that are passed to
> ieee80211_del_key() are all valid indexes as is, and no sanity checks
> are performed for it.
> However, syzbot was able to trigger an array-index-out-of-bounds bug
> by passing a key_idx value of 5, when the maximum permissible index
> value is (NUM_DEFAULT_KEYS - 1).
> Enforcing sanity checks helps in preventing this bug, or a similar
> instance in the context of ieee80211_del_key() from occurring.

I think we should do this more generally in cfg80211, like in
nl80211_new_key() we do it via cfg80211_validate_key_settings().

I suppose we cannot use the same function, but still, would be good to
address this generally in nl80211 for all drivers.

johannes