nl80211: fix beacon head validation

Message ID	20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Johannes Berg <johannes@sipsolutions.net> To: linux-wireless@vger.kernel.org Cc: Johannes Berg <johannes.berg@intel.com>, syzkaller@googlegroups.com, syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com, Eric Dumazet <eric.dumazet@gmail.com> Subject: [PATCH] nl80211: fix beacon head validation Date: Thu, 8 Apr 2021 15:45:20 +0200 Message-Id: <20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	nl80211: fix beacon head validation \| expand nl80211: fix beacon head validation

Message ID

20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid

State

New

Headers

From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>, syzkaller@googlegroups.com,
	syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com,
	Eric Dumazet <eric.dumazet@gmail.com>
Subject: [PATCH] nl80211: fix beacon head validation
Date: Thu,  8 Apr 2021 15:45:20 +0200
Message-Id: <20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

nl80211: fix beacon head validation | expand

Commit Message

Johannes Berg April 8, 2021, 1:45 p.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

If the beacon head attribute (NL80211_ATTR_BEACON_HEAD)
is too short to even contain the frame control field,
we access uninitialized data beyond the buffer. Fix this
by checking the minimal required size first. We used to
do this until S1G support was added, where the fixed
data portion has a different size.

Cc: syzkaller@googlegroups.com
Reported-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: 1d47f1198d58 ("nl80211: correctly validate S1G beacon head")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
#syz test: https://github.com/google/kmsan.git master
---
 net/wireless/nl80211.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

syzbot April 8, 2021, 2:21 p.m. UTC | #1

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com

Tested on:

commit:         29ad81a1 arch/x86: add missing include to sparsemem.h
git tree:       https://github.com/google/kmsan.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=e6213d08918028fb
dashboard link: https://syzkaller.appspot.com/bug?extid=72b99dcf4607e8c770f3
compiler:       Debian clang version 11.0.1-2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14424d31d00000

Note: testing is done by a robot and is best-effort only.

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index adfa07c67b44..03426cf17ee6 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -229,9 +229,13 @@  static int validate_beacon_head(const struct nlattr *attr,
 	unsigned int len = nla_len(attr);
 	const struct element *elem;
 	const struct ieee80211_mgmt *mgmt = (void *)data;
-	bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
 	unsigned int fixedlen, hdrlen;
+	bool s1g_bcn;
 
+	if (len < offsetofend(typeof(*mgmt), frame_control))
+		goto err;
+
+	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
 	if (s1g_bcn) {
 		fixedlen = offsetof(struct ieee80211_ext,
 				    u.s1g_beacon.variable);

nl80211: fix beacon head validation

Commit Message

Comments

Patch