Received: by 2002:a05:6a10:8395:0:0:0:0 with SMTP id n21csp156329pxh; Tue, 9 Nov 2021 08:42:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJzE4kVDU0/OXZdIPkIcEdkTNbcdXZ8AqBtAhNH0ClP7K3+jzQgirhw3n4YbncJea/w/FVj1 X-Received: by 2002:a05:6e02:1ba9:: with SMTP id n9mr6118222ili.297.1636476156375; Tue, 09 Nov 2021 08:42:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1636476156; cv=none; d=google.com; s=arc-20160816; b=WckXPJ7KKI79vIBpiJ0+e1DpNiYPQ6CsLnFUknWlLN00GCaXvXsqwUQrTTP2dB/4ys L+jM9YIVBiMknIBVrCD2XHVmAyNylVuaGmA6tlXxwKk4ZMlD7xd22NV5bnC2cC9MWsHT nO9k/zPVc33y0O6PXfCSEfl75SwwchHyBw0Zhga6aOyxTESeHQOlssbGV3cTp7zyaFTh WR+PmDe1Hu2LyNXqtioUq8TTzfINXCS5kuHBSnjrtapWy1CS9/BluMO3WclmbVU8NyY2 cHrJyJzJNUTseBOfo31dFnKqIH0RN2CbPnCO+fzb1HnYjnvc5zDjlJqgXxzKLaVYlo+A zofQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=t5WgVOcn15IqoYJwyRCsxPJzQR7NdaTh+b+6zeOUfSQ=; b=IukHa1O08DMojMbO5bD/vkgwJthT/4G7sG27RJX8ZyR2g5ZxpaROOo1X5ecJ/BKcC6 KTLFOb02Ub3Zerzu62bi68hwMZC04lVaZcTqYF2wzAwFGLtdLjsgUNybya7Xqt37i5rD GzcUjCYv9VBqr4vWywgaMlLkbWA0OptXhLOd9Qf2sxGzj1/tm/fh1UmXmq8Ccqa6w1rx Jdkb2i1m5aZn80krbW1p+zaOZA8SOCDyYCssQURNq2scPunbgjRbGJv2pPVflX7X5FYH ixy5ypNIMyNB4U/fGddE835I4Bb/JSCM/sQAFzroisudgyDDYIX1EgyFg6PxbfI/TTox Tr5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=dr6lhfUz; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l10si4305486iln.72.2021.11.09.08.42.25; Tue, 09 Nov 2021 08:42:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=dr6lhfUz; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244649AbhKIJF7 (ORCPT + 68 others); Tue, 9 Nov 2021 04:05:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244654AbhKIJFZ (ORCPT ); Tue, 9 Nov 2021 04:05:25 -0500 Received: from sipsolutions.net (unknown [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8AAEEC061208; Tue, 9 Nov 2021 01:02:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc: Resent-Message-ID:In-Reply-To:References; bh=t5WgVOcn15IqoYJwyRCsxPJzQR7NdaTh+b+6zeOUfSQ=; t=1636448535; x=1637658135; b=dr6lhfUzND4W99D4QVXjW2XTMvPpAQ6qVO+xIow4OKYyZCBL8v071WlWBk5jljjbHu5sdFa5BWP CL9sU6g8Z9ohmefTJkOOGSwKGAyMF2PdUyykrAZCtAyEBiBwG2Ir3xuFgfo5BBigQ9G5tA0lZ5O0D usWNbO3Aw4bJCROQrSKEjLE6dl2Bcu/Id4rokG+9/Rv15b1b3yNcOvmVCN0TKEitEI4dwdG1QnJcI RQVA1odf3Zd9eNO/KX9UvqpNC98QAJAuaNfybLLr14aeGwezvTN9A13XkAN7OrZ2M4S2SMHfn1QmX AFb5ZL2u5eWK9bYk8Bz3ZmpBztQ6jV58GDrg==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.95) (envelope-from ) id 1mkN15-00CtyF-Ua; Tue, 09 Nov 2021 10:02:08 +0100 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Kees Cook , Johannes Berg , stable@vger.kernel.org, Sid Hayn Subject: [PATCH] mac80211: fix radiotap header generation Date: Tue, 9 Nov 2021 10:02:04 +0100 Message-Id: <20211109100203.c61007433ed6.I1dade57aba7de9c4f48d68249adbae62636fd98c@changeid> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg In commit 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header bitmap") we accidentally pointed the position to the wrong place, so we overwrite a present bitmap, and thus cause all kinds of trouble. To see the issue, note that the previous code read: pos = (void *)(it_present + 1); The requirement now is that we need to calculate pos via it_optional, to not trigger the compiler hardening checks, as: pos = (void *)&rthdr->it_optional[...]; Rewriting the original expression, we get (obviously, since that just adds "+ x - x" terms): pos = (void *)(it_present + 1 + rthdr->it_optional - rthdr->it_optional) and moving the "+ rthdr->it_optional" outside to be used as an array: pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional]; The original is off by one, fix it. Cc: stable@vger.kernel.org Fixes: 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header bitmap") Reported-by: Sid Hayn Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index fc5c608d02e2..3562730ea0f8 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -364,7 +364,7 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, * the compiler to think we have walked past the end of the * struct member. */ - pos = (void *)&rthdr->it_optional[it_present - rthdr->it_optional]; + pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional]; /* the order of the following fields is important */ -- 2.31.1